It started with a phone call, moved on to scamming unsuspecting victims out of Bitcoin, and ended in the arrests of three people, including a Florida teenager.
The July 15 hijacking of about 130 high-profile and verified Twitter accounts, including those of Bill Gates, Elon Musk, Barack Obama, and Joe Biden, scammed dozens of people out of about $120,000 worth of bitcoin. The incident, which gained worldwide attention, contained a bit of everything, including a celebrity element and questions about the reliability of messages posted on one of the world’s largest social media platforms.
The arrests of a 17-year-old and two others in connection with the hacking case by the U.S. Justice Department and state prosecutors in Florida also reveal how rather basic hacking techniques, such as phone phishing and SIM swapping, can affect the security of an entire company, leaving employees and internal resources open to attack.
“We still don’t know exactly what happened with Twitter, however, they’ve acknowledged that the incident was started by a phone spear-phishing attack,” Hank Schless, a senior manager for security solutions at Lookout, told Dice.
“Regardless of what happened with Twitter, this should be a wakeup call to everyone that phones and tablets need to be at the center of their overall security strategy. Your employees’ mobile devices have as much access to corporate data as almost any laptop or desktop. So they shouldn’t be treated as an afterthought to traditional endpoints and infrastructure.”
Many of the specific details of what happened to Twitter and the verified accounts are not known yet, but the Wall Street Journal reported that Graham Ivan Clark, a teenager from Tampa, helped mastermind the hacking incident, first by phone phishing a company employee, and then by using a SIM swapping technique to help bypass security controls to gain access to Twitter’s internal systems.
SIM swapping is an increasingly popular hacking technique that starts by convincing a mobile operator’s customer service employee to move a cell phone number to a different SIM card—a swap—or port it to another carrier.
This hacking method has been increasingly used over the last two years by hackers and cybercriminals to manipulate social media accounts and imitate executives to pull off other different types of fraud and account takeover attacks.
Clark and the other suspects also used additional phishing tactics and fake domains to capture other Twitter employees’ credentials, according to the Journal’s account.
These types of targeted spear-phishing attacks are much prevalent and show that some hackers will use specific methods to target the data or information that they want, said
Daniel Norman, a research analyst at the Information Security Forum, a London-based authority on cyber, information security, and risk management.
“Phishing has been a prolific threat to organizations for many years now,” Norman told Dice.
“Typically, attackers use ‘spray and pray’ techniques, creating and spreading generic fake emails to cover the widest attack surface as possible. However, as individuals become more aware of this threat, attackers are using far more targeted methods with greater success: spear phishing.”
Michael Thoma, principal consultant at the Crypsis Group, a Virginia-based incident response, risk management, and digital forensics firm, notes that while many have taken Twitter to task over the security lapses that led to this hack, other companies are vulnerable to the same methods allegedly used by the suspects in the case.
“Threat actors will continue to look for ways to exploit a targeted business if the first line of attack fails. If they can’t succeed via a phishing email, they may use another communications channel, such as the phone—as used in the Twitter case,”
Thoma told Dice.
“There are limited technical controls that can be applied here, which is why policy governance and security awareness training are just as important as technical controls. The communications attack surface has expanded, with the majority of workforces transitioning to all or partial remote models in response to COVID-19.”
One way that CISOs and their teams can mitigate the use of phishing and social-engineering techniques that target specific employees is to create a security awareness program, which includes end-user training, the development of strong internal policies and procedures, and reinforcement using actionable metrics that drive meaningful improvements.
“It’s important to understand the organizational weaknesses and progress,” Thoma said. “Red team exercises as well as continuous simulated phishing campaigns on staff provide information on where to focus more attention.”
The moral of the story
ISF’s Norman noted that organizations could take three concrete steps away from what happened at Twitter and apply them to their security policies and training.
Teaching employees about new delivery mechanisms: Attackers shift away from email-based attacks to smishing (SMS or WhatsApp-based attacks) and vishing (voice-based attacks). With many, if not all, companies running some email-based phishing campaign, there’s a current need to use these newer attack methods to test employees’ responses and make them more aware of how they are specifically targeted.
Stopping attackers from gathering information: Organizations should frequently engage with the workforce to educate them on how to mitigate spear-phishing risk before it happens. For example, attackers are now using readily available open-source intelligence online to build believable profiles to target specific individuals. Employees can reduce the amount of information available online and on social media. Also, they can put controls in place to prevent attackers from getting to their data quickly, such as applying privacy settings in certain apps.
Enhancing the management of the risks: Businesses and organizations should carry out role-based training to see how employees react to spear-phishing and other hacking techniques. For instance, senior executives, financial and personal assistants receive a far greater number of spear-phishing emails, so these employees should receive tailored and ongoing education and training.
Security teams should also provide workers with the tools to quickly and easily report incidents, such as a phishing email alert button. There should also be procedures in place to prevent single points of failure.
During financial transactions, Norman suggests that there should always be a second pair of eyes or confirmation mechanism to add an extra layer of security.
“For the average person, they need to learn how to identify phishing attacks,” Lookout’s Schless said.
“This applies whether you’re using a personal device or a corporate-issued one. They need to understand that phishing isn’t just an email-based scam that you open on desktop computers. From WhatsApp and Instagram to text messages, there are countless ways for phishing links to be delivered. Your employees can be both your strongest defense and your weakest link against mobile phishing depending on how well they’re trained to pick up on these attacks and report them.”