On July 15th, 2020 a Twitter Administration panel was
compromised by hackers. Gaining access to the accounts of some of the most
prominent users of Twitter across the world, the attackers began to take over users
accounts – including those belonging to Barack Obama, Joe Biden, Bill Gates,
Jeff Bezos and even the Twitter support account itself…
Using a
common modus operadi for online ‘scammers’ the hackers posted from these
accounts that if users sent Bitcoin to a specific bitcoin wallet address, they
would receive double the original transaction back to their wallets. Tracking
the wallets used by the hackers shows that over $100,000 was transferred,
although it is unclear if this money was the consequence of people falling for
the scam or the hackers themselves loading the wallet to make it appear
legitimate. In addition to the Bitcoin scam the accounts were also posting
links to malicious websites, which have since been removed from the internet.
The bitcoin
scam, deployed in this attack, is a common tactic used by hackers against the
cryptocurrency community and has been for some time. Whilst most crypto enthusiasts
are aware of this fraud, it continues to be used regularly to trick less
experienced bitcoin enthusiasts or opportunists.However, this
is the first time that accounts of such prominence have been compromised and
used in this scam.
How did
the hackers gain access?
There are
several theories circulating amongst the online community as to how such a
devastating hack could be deployed and succeed against the most prominent
social media platform in the world. Whilst none of these theories have been
substantiated, the fact remains that someone gained administration access to Twitter
and that this access had to come from a targeted attack, or from a source who
already had access...
Current theories
include:
1. That
access to the administration account was obtained by hackers and then this
access was sold on the internet. Possibilities include a user known as ‘Kirk’
who has been active on a forum known as the OGUsers forum and had, up until recently,
been observed selling high value twitter handles.
2. That,
once the administration access was obtained, hackers sold access to an internal
twitter administration panel offering other forum users the ability to reset account
email addresses and take over control. Examples include a mysterious forum user
known as ‘Chaewon’ who appeared to be sharing screenshots of a twitter
administration panel and was offering to change account email addresses
3. That
a twitter employee with access was paid by hackers to change the email
addresses of popular accounts so that the hackers could then take control of
them, a theory that online publication Motherboard has alleged.
As ever, the
internet is awash with theories, some plausible others outrageous. But the core
parts of this hack remain:
1. That
at least one high level administration account within the organisation was
compromised with serious concerns being raised over Twitters ability to protect
user accounts against rogue employees
2. That
the social media giant appears to give administrators within the company high
access levels to significant accounts without additional verification, which
played into the hands of the hackers
3. That
it remains likely that, in addition to the accounts of individual Twitter
users, the hackers have gained access to other parts of the platform’s infrastructure
4.That
there remain serious questions over the motivations of the hackers, with the
attempt to generate bitcoin a crude exploitation of some very high-profile
accounts.
It will be of
great interest to see if this breach escalates over the forthcoming days or if
twitter have managed to contain it.Establishing
when the breach occurred will be critical, in the event that the hackers were
‘inside’ the Twitter systems for some time prior to this exploitation. If so,
then assessing the damage could take weeks or months. Other social platforms
will have to quickly review their security measures, with many Twitter users
likely (unfortunately…) to use the same login details for other platforms as
they did for Twitter, putting accounts on Instagram, Facebook, Tik Tok and so
on at greater risk.Do not be
surprised to see a data dump of breached accounts and passwords from Twitter
turn up on the darker reaches of the internet in the next few weeks, ready for
exploitation by unscrupulous hackers.
If you have a Twitter account, now is the
time to review your login, check it against other accounts, change it and make
sure that multi factor authentication is enabled. Whilst this would not have
prevented this attack, it will prevent your account from being compromised
should there be a data dump of usernames and passwords released.
Lastly, you
may wonder why the account of probably the most famous Twitter user in the
world was not compromised, one Donald Trump. Well, since a Twitter employee
went rogue in 2017 and tried to ban the official presidential Twitter account
(POTUS) the social media giant has been forced to place extra security controls
around this account. So, the official Twitter account of the leader of the free
world was saved from encouraging its followers to pay bitcoin to an anonymous
wallet on the internet - but it was a close call…