Northwest Arkansas Democrat-Gazette
Twitter attack raises questions on inside job
But experts fear bitcoin scam is cover
As Twitter Inc. grapples with the worst security breach in its 14-year history, it must now uncover whether its employees were victims of sophisticated phishing schemes or if they deliberately allowed hackers to access high-profile accounts.
On Wednesday, some of the world’s most prominent people, including former President Barack Obama and Democratic presidential candidate Joe Biden, along with Bill Gates, Elon Musk and Warren Buffett, had their Twitter accounts post invitations for an apparent Bitcoin scam.
Twitter reacted by blocking further posts from all verified accounts on the service and said it had detected “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
Social-engineering attacks refer to hacking attempts in which someone exploits “the human element of security,” said cybersecurity expert Rachel Tobac, who is chief executive officer of Social-Proof Security.
That could mean blackmailing or bribing someone to gain access to accounts or even insiders carrying out a hack themselves.
The most common example of a social-engineering attack is phishing, or sending a fake email designed to look real to trick someone into turning over account credentials or other information. More-targeted tactics, such as spear-phishing, single out individuals with a goal of taking over their credentials. Once hackers have that access, they can work to change passwords or take other measures to lock out the real account owner.
“I can phish someone who has administrative access and try and gain access to their credentials and log into their account,” Tobac
said, or the less technical method would be to develop “a relationship with someone who works on those panels and convincing them to do your bidding for you.”
WHAT WAS THE GOAL?
The company’s explanation has ignited speculation over the identity of the perpetrators and what they were actually targeting in the attack. The scale of the endeavor and its timing — months before the November U.S. elections — have prompted some cybersecurity experts to theorize that the attack masked a more nefarious campaign to seize sensitive data.
In its investigation of the incident, Twitter likely will focus on employee logs, email and phone records. At question will be any failures in authentication processes that might have allowed hackers to hijack verified accounts, and also what other information, such as direct messages, might have been compromised in the breach. The bitcoin wallets promoted in the tweets collected around $120,000 in cryptocurrency.
“It used to be the Nigerian prince letter with a bunch of spelling mistakes, and now it’s something that almost looks legitimate, but it always starts with a person,” said Frances Dewing, the CEO of cybersecurity firm Rubica Inc., based in Seattle.
“There’s a playbook for doing this, there are cybercriminal organizations that make millions of dollars. It’s the fastest growing business in the world,” she said.
Whoever is behind the incident is shifting the spoils around online accounts, creating the beginnings of a digital paper trail that investigators are scouring for clues.
After gaining access to the accounts, hackers asked Twitter users to direct bitcoins to one of three accounts, said Tom Robinson, co-founder of Elliptic, which helps law enforcement agencies track bitcoin-related crime.
The attackers received just over 400 payments, according to Elliptic. The largest payment came from a Japanese exchange, and totaled about $42,000.
FOLLOW THE BITCOINS
Bitcoin offers users a degree of anonymity, making it a popular vehicle for criminal behavior. But investigators can glean valuable information in cases where the cryptocurrency is moved to accounts, or wallets, that have carried out transactions with certain U.S. exchanges or services. That’s because U.S. exchanges typically take pains to verify user identity.
“Sharing this information fast with the authorities worldwide and with companies from the ecosystem, will help us stop the stolen funds and find more info about the attackers,” said Itsik Levy, co-founder of Whitestream, a bitcoin researcher.
Identifying potential Twitter employees to target wouldn’t be difficult for the hackers, given the way most smartphone apps vacuum up location and other contextual data from users — data which often is then sold to marketing companies. Anyone frequenting the same coffee shops and businesses or entering and leaving a workplace at particular hours can give away clues about themselves.
Cybersecurity experts can only speculate until Twitter itself reveals what happened and where the failures occurred, but even this kind of show of force — a demonstration by hackers to earn credibility or gain infamy — isn’t convincing them that a bitcoin scam was all there was to the operation.
Stas Protassov, co-founder and president of global technology firm Acronis said the attack was “too prepared to be just a cryptocurrency scam.”
“We don’t believe that’s all the hackers went into once they got access,” he said in an email. “The attack is too big and too noisy and likely covering a bigger play. We’ve yet to see the full impact of what this was about.”