While the amount involved—just under Rs 1 crore—may not be huge, what captured the world’s imagination about Thursday’s Twitter hack was its extent, as well as the targeting of so many high-profile personalities. Over a period of a few hours (before the site managed to retrieve the accounts), Twitter profiles of the likes of US presidential candidate Joe Biden, former president Barack Obama and Amazon owner Jeff Bezos and those of companies like Apple and Uber, were hacked into in a concerted cryptocurrency scam.
With Twitter itself admitting that hackers used ‘social engineering tools’ to gain access, tech platforms like Check Point as well as Motherboard have pointed fingers at insiders at the US-based microblogging site. The question is whether they were directly party to the scam, or were unwittingly conned through cyber-attack modes like vishing, or voice phishing.
The attack happened when many high-profile accounts were ‘taken over’ with tweets that asked followers to contribute bitcoins to a link, with the sender being promised double the money back. Compromised accounts of large cryptocurrency exchanges and leaders in the cryptocurrency community additionally claimed to be partnering with a made-up organisation called ‘CryptoFor Health’. It was later revealed the website mentioned in the tweets of CryptoForHealth was registered on the same day of the attack. It claimed to help people suffering financial losses caused by the COVID-19 pandemic. Of course, the website, too, was asking for bitcoins to be sent to the same wallet address that appeared in the tweets.
Though the cyber attack was neutralised in a matter of hours, questions are now being raised on how exactly the hack panned out and whether Twitter employees were involved in the scam. A blog by Check Point, one of the global leaders in cyber security and released to media in India on Friday, looked at the various attack vectors.
One of the most common modes, particularly noticed during the lockdown, has been spear-phishing email attack, an email with an attachment or link with malware. “In both cases, it is often accompanied with some kind of social engineering in order to motivate the user into executing the (attachment), or to enter his credentials into a fraudulent phishing page,” notes a blog by Check Point Research. A possible attack vector includes voice phishing or vishing, a social engineering tactic where calls are made to gain the employees’ trust and then deceive them to take actions.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” according to an official announcement by Twitter. This offers another scenario, as hinted by the Vice tech platform Motherboard, where attackers had tacit support of certain Twitter staff who were paid to change the email addresses of the targeted accounts using a Twitter internal tool.
“Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing,” said Twitter on Thursday morning. The latest breach comes as only the latest, and probably not the last, in a series of security breaches at Twitter. The Twitter account of its CEO Jack Dorsey itself was compromised recently after his phone number was taken over in a SIM swap. In 2019, two Twitter employees were accused of helping Saudi Arabia to spy on dissidents living abroad.
While this week’s attack was short-lived and Twitter quickly managed to lock down and recover all the affected accounts, Check Point’s inspection of the bitcoin wallet address showed that attackers still managed to get away with 12.85 BTC and were already transferring the money to further bitcoin accounts to cash out. The amount is equivalent to $1,20,000 or around Rs 91 lakh, with one bit coin valued at around Rs 6.83 lakh.