That Twitter System Hack ... [2020-07-15]

BRiT

(>• •)>⌐■-■ (⌐■-■)
Moderator
Legend
Supporter
Ars has a decent write up about that Twitter system hack that took place yesterday. Here's the introduction of that article, that you can read at https://arstechnica.com/information...internal-systems-to-bitcoin-scamming-hackers/

Twitter lost control of its internal systems to Bitcoin-scamming hackers
Celebrity account holders weren't the only targets. Late hacker Adrian Lamo was too.

The first signs of compromise occurred around 1 PM California time when hijacked accounts—belonging to Vice President Joe Biden, Elon Musk, Bill Gates, and other people with millions or tens of millions of followers—started pumping out messages that tried to scam people into transferring cryptocurrency to attacker-controlled wallets.

In a tweet issued about seven hours after the mass takeover spree began, Twitter officials said the attackers appeared to take control by tricking or otherwise convincing employees to hand over credentials.

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the tweet said. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”

Once Twitter learned of the takeovers, company personnel locked down the accounts and removed the tweets. Twitter’s tweet thread didn’t explain why Musk’s account posted fraudulent tweets after previous ones had been deleted.
 
Allegedly this was an inside job, where the hackers paid an insider to help them. https://www.vice.com/en_us/article/...r-access-panel-account-hacks-biden-uber-bezos

Hackers Convinced Twitter Employee to Help Them Hijack Accounts
After a wave of account takeovers, screenshots of an internal Twitter user administration tool are being shared in the hacking underground

The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool.

In all, four sources close to or inside the underground hacking community provided Motherboard with screenshots of the user tool. Two sources said the Twitter panel was also used to change ownership of some so-called OG accounts—accounts that have a handle consisting of only one or two characters—as well as facilitating the tweeting of the cryptocurrency scams from the high profile accounts.
 
Could this related to the previous scam on YouTube? They made fake Elon musk channel with fake title and description but with real interview video and real profile photo of Elon muah.

It got the same video title / description as the nefarious tweets
 
Could this related to the previous scam on YouTube? They made fake Elon musk channel with fake title and description but with real interview video and real profile photo of Elon muah.

It got the same video title / description as the nefarious tweets
Not even close, that's not even a hack.
 
Ars has a news article about the hack, here's the first few tidbits...

https://arstechnica.com/information...hone-spear-phishing-in-mass-account-takeover/

Twitter hackers used “phone spear phishing” in mass account takeover
This month's epic breach targeted multiple employees, Twitter says.

The hackers behind this month’s epic Twitter breach targeted a small number of employees through a “phone spear phishing attack,” the social media site said on Thursday night. When the pilfered employee credentials failed to give access to account support tools, the hackers targeted additional workers who had the permissions needed to access the tools.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter officials wrote in a post. “This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe."

Thursday's update also disclosed that the hackers downloaded personal data from seven of the accounts, but didn't say which ones.
 
Sweet, just an old fashioned call 'em up and tell them you forgot your password type social engineering hack!

Social engineering is still the most effective form of hacking I know, it's always vulnerable.
 
Note that this phone hacking attack was not targeting ordinary users, but Twitter employees. It wouldn't surprise me that they used to have stronger protection against this kind of attack (e.g. you need to request a password reset in person etc.) but the COVID-19 pandemic induced working for home somehow weakened it.
 
Note that this phone hacking attack was not targeting ordinary users, but Twitter employees. It wouldn't surprise me that they used to have stronger protection against this kind of attack (e.g. you need to request a password reset in person etc.) but the COVID-19 pandemic induced working for home somehow weakened it.
Which probably means a lot of other places are a lot more vulnerable to social hacks right now, oh boy! :(
 
The attacker was arrested

Assuming they got the right guy, it looks like the work-at-home arrangement did contributed at least in part:

The attackers then called the employees and directed them to a phishing page that mimicked an internal Twitter VPN. Detailed work histories and other employee data the attackers obtained from public sources allowed the attackers to pose as people who were authorized Twitter personnel. Work-at-home arrangements caused by the COVID-19 pandemic also prevented the employees from using using normal procedures such as face-to-face contact, to verify the identities of co-workers.
 
So this attack means there are multiple employees at twitter at not particularly high ranks and low enough security procedures with tools that allow them to post content as if from any twitter account.

huh.

Good to know.

This hacker is doing god's work.
 
Back
Top