The culprits who pulled off this month’s epic hack on Twitter were apparently using phone calls to trick company employees into giving up their passwords.
On Thursday, the company provided an update on the July 15 incident, which enabled the attackers to hijack dozens of Twitter accounts belonging to various celebrities. A key mystery has been how the hackers broke into the company’s internal systems to instigate the account takeovers.
Twitter is now blaming the intrusion on a “phone spear phishing” attack against a small number of employees who fell for the stunt. The company hasn’t elaborated, but the term spear phishing means the hackers researched their targets, and then came up with a ploy to dupe them into giving up login credentials for Twitter’s systems.
Tweet
Most of the time, spear phishing attacks masquerade as emails that pretend to come from your email provider, company HR department or IT support desk. The message may even contain your name, title, and some personal details to convince you the correspondence is legit. The email can then trick you into opening up a malicious document or visiting a hacker-controlled login page that’ll secretly steal your passwords.
The culprits behind the Twitter hack, however, decided to incorporate phone calls in their scheme. Security expert Graham Cluley laid out one possible scenario to how the ruse might have worked:
“A targeted Twitter employee or contractor received a message on their phones which appeared to be from Twitter’s support team, and asked them to call a number,” he wrote in a blog post. “When the worker called the number they might have been taken to a convincing (but fake) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over their credentials.”
Using the phone calls would’ve also made it easier for the culprits to establish trust with the company employees, Cluley points out. “Equally the conversation could be initiated by a scammer calling the employee, perhaps using a VoIP phone service and using caller ID spoofing to pretend to be ringing from a legitimate number,” he added.
Although Twitter isn’t elaborating on the spear phishing scheme, the company is indicating the culprits successfully phished one employee, which gave them an entry way into Twitter's internal system. The attackers then learned about the company's processes to find other staff members who had direct access to Twitter’s account management tools.
"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company said. In total, the hackers targeted 130 Twitter accounts on July 15, but hijacked only 45 of them. Another 36 accounts had the inbox to their direct messages accessed.
Last week, Reuters reported that over 1,000 Twitter employees and contractors had access to internal systems with the power to initiate account takeovers. However, Twitter claims the company has strict processes in place to prevent abuse, even though the breach this month suggests otherwise.
“We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions, and take immediate action if anyone accesses account information without a valid business reason,” the company said yesterday. “While these tools, controls, and processes are constantly being updated and improved, we are taking a hard look at how we can make them even more sophisticated.”
Further Reading
- Windows Defender Flags CCleaner as 'Potentially Unwanted Application'
- North Korean Hackers May Be Dabbling in Ransomware Again
- Face Masks Confuse Facial-Recognition Software, Study Finds
- Garmin Confirms Cyber Attack, But Says No User Data Was Stolen
- More in Security
Security Reviews
- Bitdefender Antivirus for Mac
- Bitdefender Antivirus Plus
- Kaspersky Safe Kids
- TunnelBear VPN
- K7 Ultimate Security