Verified Twitter accounts belonging to high-profile individuals and companies like Joe Biden, Bill Gates, Apple and Elon Musk promised followers a large pay out if they’d just send bitcoin to a block chain address — ostensibly to donate to Covid-19 community aid — after the social media platform was breached.
“I am giving back to my community due to Covid-19,” the hackers’ message read, noting that the offer was good only for 30 minutes.
“We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it,” Twitter Support tweeted, promising to “update everyone shortly,” noting later that it immediately locked down the affected accounts and removed the fake tweets.
Explaining that “several years ago, there was a similar event where a few accounts were seemingly breached” and the culprit turned out to be “a third party access system,” James McQuiggan, security awareness advocate at KnowBe4, said the Twitter incident could be similar, but on a much larger scale, using prominent personalities and companies.
McQuiggan said that of more concern is that cybercriminals may “have had access to these accounts or possibly worked their way into a Twitter employee account, and inevitably worked their way into the Twitter backend’s administrative systems.”
The hack could have been compromised in multiple ways, including a exploiting “a fairly common support feature” that allows “administrative and other privileged personnel to impersonate other users to test functionality as that user,” said Shawn Smith, DevOps engineer at nVisium. “So if Twitter has made this sort of a setup available, it is quite possible an account with access to this feature was compromised, therefore leading to additional account compromise.”
Kelvin Coleman, Executive Director of the National Cyber Security Alliance (NCSA) agreed, said that “while it’s unclear what the source of the ongoing Twitter crypto scam attack is – the size and scale of an operation like this seems to potentially point to an employee’s compromised credentials – very likely due to something as simple as falling victim to a phishing attack – that then allowed a single bad actor or group broad access into these accounts from the inside.”
Also, “SMS interception on password resets, and password reset logic flaws are…vectors for general social media account compromise,” said Smith, who believes “the number of accounts being compromised so quickly makes these attack vectors [as well as phishing] somewhat unlikely unless carefully coordinated and orchestrated by a syndicated effort.”
Twitter later confirmed in a series of tweets that the hackers used access who successfully targeted some employees and gained access to internal systems and tools “to take control of many highly-visible (including verified) accounts and Tweet on their behalf.” The company was probing “what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”