Endpoint Security , Fraud Management & Cybercrime , Incident & Breach Response
Several Prominent Twitter Accounts Hijacked in Cryptocurrency Scam
Joe Biden, Bill Gates, Barack Obama, Elon Musk Among Those Affected by HackingSeveral prominent business executives, politicians and celebrities, including former Vice President Joe Biden, former President Barack Obama, Tesla CEO Elon Musk and Microsoft's Bill Gates, had their verified Twitter accounts hijacked Wednesday in what appears to be a cryptocurrency scam, according to news reports and screen shots posted online.
See Also: Gartner Guide for Digital Forensics and Incident Response
Late on Wednesday, Twitter tweeted its preliminary assessment, saying it was likely "a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools." It also said the attackers "used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."
Although attackers have occasionally gained control of a prominent Twitter account before, this attack was notable due to the number of high-profile people and entities that were hijacked. The attack was so audacious in scale that it caused computer security experts to suspect it was likely a problem on Twitter's side.
For several hours Wednesday, verified accounts belonging to Biden, Gates, Musk, as well as the corporate accounts of Apple, Uber and others, posted messages to their followers about sending money to a certain blockchain address with the promise of doubling the amount in return, according to CNN and other news reports.
"I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000," according to the message posted on the verified Bill Gates Twitter account. Other well-known accounts posted similar messages Wednesday.
For several hours Wednesday, Twitter stopped certain verified accounts from tweeting as passwords were reset, according to a company statement. By the end of Wednesday, most of the issues had been resolved and the scam messages deleted, the social media company says.
Twitter also announced it has launched an investigation into what happened and how this scam became widespread among so many prominent and verified accounts.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
It’s not clear who might have hijacked or hacked all these accounts, however, it does seem as if some of these messages were successful in scamming people out of their money. Bleeping Computer reported that one blockchain address associated with the hijacking incidents appears to have collected 11 bitcoins worth over $100,000 by the time the scam finished.
Security firm RiskIQ posted a list of some 400 suspicious domains that its researchers believe are connected to the infrastructure that the hackers used to compromise the accounts and create the blockchain addresses.
While Twitter provides its users with some security features such as two-factor authentication, the company has witnessed some notable failures of its security protocols. In September 2019, the official Twitter account of CEO Jack Dorsey was hijacked for a short period and used to send out racist and profane-laden messages (see: Hey Jack, How Was Your Account Hacked?).
Did Two-Factor Fail?
While verified Twitter accounts should have two-factor authentication enabled, this latest security incident seems to show that these high-profile users, or their social media teams, are not using this basic level of protection, says Chris Pierson, the CEO and founder of cybersecurity firm BlackCloak, which focuses on executive security.
"This appears to be poor planning and control mitigation for some really high-profile persons' accounts or unsecured access through ancillary applications. Either way, this could have been prevented," Pierson tells Information Security Media Group.
Pierson adds that these types of high-profile accounts need constant security attention because attackers change their methods frequently. This also helps protect followers who might be taken in by such scams.
"Securing their social media accounts is critical given their followers, risks for malware in phishing links, and really their reputation," Pierson says.
Insider Threat?
Brandon Hoffman, the CISO and head of security strategy at Netenrich, a security firm based in San Jose, California, says that while a failure to enable two-factor authentication may have played a role, it's also possible that a Twitter employee's credentials could have been compromised. This could then give attackers access through the social media company's internal IT network.
"In the end, I think we will find out that somehow credentials were stolen, either from an employee or from the account holders themselves through a variety of methods," Hoffman tells ISMG. "The credentials were probably offered for sale on the dark web in piecemeal form, and a cybercriminal with vision bought them for this campaign."
Kelvin Coleman, executive director at National Cybersecurity Alliance, also believes the security breach points to a Twitter employee whose credentials may have been compromised.
"While it's unclear what the source of the ongoing Twitter crypto scam attack is - the size and scale of an operation like this seem to potentially point to an employee's compromised credentials - it's very likely due to something as simple as falling victim to a phishing attack," Coleman says. "This then allowed a single bad actor or group broad access into these accounts from the inside."
Other security researchers, such as Troy Mursch of Bad Packets, put the blame squarely on Twitter and its security policies.
Rest assured, Twitter takes your account privacy and security very seriously.
— Bad Packets (@bad_packets) July 15, 2020
Over the years, Twitter has attempted to include more security for users, especially those with verified and high-profile accounts. In September 2019, the social media firm announced that it would do away with needing a phone number for its two-factor authentication. This was an attempt to stop attacks such as SIM swapping, where attackers take control of a target's phone number and then intercept all two-factor codes that get sent to it (see: Twitter No Longer Wants a Phone Number for 2FA).