The hackers who ran a cryptocurrency scam using high-profile, verified Twitter accounts, including those belonging to Joe Biden, Apple, Bill Gates, Uber and Barack Obama, accessed the direct messages (DMs) of 36 accounts and downloaded account data from eight accounts via “Your Twitter Data.”
There is no indication that the DMs of any former or current elected official, other than one Dutch politician, was accessed and Twitter doesn’t believe that the attackers saw any private information “for the vast majority of people” whose accounts were targeted, the company said in an update.
Twitter acknowledged that last week’s attack was the result of a “coordinated social engineering campaign” involving multiple employees.
The attackers, who could see email addresses and phone numbers, couldn’t see previous account passwords, which are not stored in plain text. Nor are they available through the tools the hackers used in the attack, the company said, noting that an ongoing investigation is trying to determine if the perpetrators had been able to view additional information associated with the impacted accounts.
Despite a swirl of speculation over the nature of the attack and the actors behind it – ranging from a coordinated nation-state attack to politically motivated hijinks to a smokescreen or practice run for a more profound attack – Allison Nixon, chief research officer at Unit 221B, knew who Twitter was likely dealing with.
“The moment I learned they went after one-letter accounts [those affiliated with elite users], I knew it was the OGuers [original gangsters],” Nixon told SC Media of the fraud community she’s tracked for years.
“Few on the internet invest in that,” she said, noting that in terms of technique and targeting, the Twitter hack boasted the hallmarks of the fraudsters.
After low-key beginnings “taking over cool names from gamers,” the community moved on in 2016 to crypto wallets, then on to taking over celebrity Twitter accounts, something they’ve been doing for “a very long time,” Nixon said. “The pattern of behavior fits with OGusers’ absolutely bizarre pattern of behavior.”
In addition to running phishing campaigns, OGers are known for their insider recruitment methods — which include calling employees to solicit information, spamming customer service reps with offers to make big money and even socializing with them at parties to lure them into for-profit schemes.
Nixon’s initial instinct about the Twitter attack proved accurate – immediately after the attack, warnings started going up in the OGuser community not to sell one-letter accounts. Shortly afterward, members of the group began spilling details to journalists. Nixon would rather members of the community report what they know to the FBI and produce whatever evidence they have instead of just dishing to the press. “The first person who snitches gets the best plea deal,” she pointed out.
Ilia Kolochenko, founder and CEO of ImmuniWeb, said that crediting the entire success of the attack — which he called “unprecedentedly disrupting” — to “comparatively banal social engineering” is questionable. “Hijacking one or two accounts by tricking Twitter tech support seems fairly plausible, but the long-lasting takeover of dozens of top accounts requires a much more sophisticated and multidimensional preparation of attack,” he said.
The reported social engineering attack vector likely “was enhanced by exploitation of other weaknesses in Twitter’s internal security. It is not excluded that the attackers were assisted by an insider or were exploiting a high-risk vulnerability detected in one of the Twitter’s web systems,” Kolochenko continued. “Otherwise, we may reasonably infer that Twitter has virtually no internal security controls and best practices that we should normally expect from a tech company of its size.”