The attackers that hacked Twitter in July pretended to call from Twitter’s IT department about a VPN issue, then persuaded employees to enter their credentials into a website that looked identical to the real VPN login site.
The claims by the hackers were credible – and successful – because Twitter’s employees were all using VPN connections to work and routinely experienced VPN problems that required IT support, a New York Department of Financial Services (NYDFS) report found.
The Twitter hackers also appear to have conducted research to identify basic functions and titles of Twitter employees so that they could better impersonate Twitter’s IT department. NYDFS says the conversations during the vishing calls may have provided more information about Twitter’s internal operations. Armed with these personal details, the hackers convinced several Twitter employees that they were from the social media company’s IT department and stole credentials.
The NYDFS conducted an extensive report because along with taking over the Twitter accounts of Barack Obama, Kim Kardashian West, Jeff Bezos, and Elon Musk, the hackers infiltrated the Twitter accounts of several cryptocurrency companies regulated by NYDFS.
“It’s indeed sobering to see what Twitter and the rest of us are up against in terms of information security threats,” said Chris Howell, co-founder and CTO of Wickr. “The perpetrators in this case didn't need to be hackers any more than carjackers need to be mechanics. Yet, most companies spend the lion's share of their information security budget countering the more technical threats. This incident should inspire us to question that balance in our own programs.”
Heather Paunet, senior vice president at Untangle, said many businesses and organizations have experienced similar issues related to employee transitions to remote work and VPN or network connectivity.
“This can happen for many reasons,” she said. “Most employees haven't used VPNs much before” since it was “a technology extended generally to specific groups within the company, such as execs or IT groups.”
But when everyone began to work from home as the pandemic spread, “ problems started occurring because of lack of familiarity and lack of understanding of VPN by the rest of the workforce,” said Paunet. “For example, members of the finance team, if they do not routinely work from home, will have to adopt and train themselves to connect to the network via VPN now that they are remote.”
Hank Schless, senior manager, security solutions at Lookout, adds that with entire organizations working remotely because of the pandemic, posing as a member of the IT team has become a brazen, yet effective way for threat actors to phish employee credentials.
“Posing as part of the IT team puts attackers into a role with greater authority and credibility than traditional phishing,” Schless said. “Remote work increases the likelihood of success for the attacker because the target employee can’t walk down the hall to validate the communication with another member of the team. “
Schless advised employees to always validate anyone who says they’re a member of an internal team – especially if they’re asking for login credentials. He says it’s incredibly important today for companies to train employees on how to spot these phishing attempts, especially as they do more work remotely and on mobile devices.