'The Bitcoin address in question has received almost $118,000'
A fool and their money...
Having seen some of the sample Tweets I'm saddened that anyone fell for it but not hugely surprised.
Twitter has said that around 130 accounts were targeted by miscreants this week as high-profile individuals and businesses had their accounts hijacked to promote a Bitcoin scam. The estimate comes days after the social media biz admitted the blitz – which snared the accounts of Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber …
The only country scamming for money is North Korea and they are very good at it - which is odd because this scam wasn't that efficient. Rather than tracking the total amount, how many transactions were there and when did they take place?
But when a scam like this happens all we know is what happens, knowing who's behind it is just guesswork.
What I want to know is whose account raised the most money? Who has the stupidist followers? While I'm sure that some of the people who were fooled by this rather obvious SCAM are desperately trying to make ends meet, and I feel sorry for them. But for all the others, you lost what you deserve for being so greedy and stupid. Why on earth would people like Bill Gates and Obama want to send you bitcoins? You should have sent your money to me. I really will send it back doubled… Honest!
> Today, the Twitter support account said it had no evidence that attackers accessed passwords.
So, Twitter accounts themselves weren't compromised but there was social engineering. Which means the attackers compromised Twitter admin accounts and then sent out those scam tweets. Let that just sink in for a moment: Twitter staff can send tweets from anyone's account as if the account owner had sent them.
Why is that even a function in the system? Suspend an account: yep. Delete a tweet: yep. Delete an account: yep. But impersonate a user?
Perhaps it's not that kind of breach at all. Maybe the attackers social-engineered access to the 'fake twitter accounts department' - the one that is used to pretend to advertisers that there are 100m active users every second of the day.
The attackers apparently did 2 things on the targeted accounts with the admin creds they gained access to (apparently via social engineering), which are standard admin tasks:
1) Disabled 2FA if enabled
2) Reset the associated email account to an account under their control
Once they had control of the linked email accounts (and with 2FA disabled) they could send password reset requests and at that point they effectively owned the accounts.
None of that discounts the fact that Twitter is incompetent here - in fact I think they are grossly incompetent.
And this also highlights the folly of making access to a particular email address a critical part of any account's so-called "security".
It's not much better than your bank giving someone else access to your account if they are wearing the same brand of shoes you wear.
@John Brown -- I refer you to this paragraph, my emphasis:
It appears the hijackers were able to, directly or indirectly, access an internal Twitter control panel disable multi-factor authentication on the popular accounts and change their email addresses, at least in some cases, allowing passwords to be reset and profiles taken over.
So some of the accounts had fake Tweets sent because the owner's email had been compromised. What mechanism do you suggest was used to send fake Tweets from the other affected accounts?
I think your moniker is appropriate in this case. The paragraph you quote explains how an account can be hijacked. That's not quite the same as Twitter staff being able to send a Tweet as anyone whenever they feel like it, nor does it state anywhere that the customers email accounts were hijacked. It quite clearly states that anyone with access to the control panel can CHANGE the users notification email address AND turn off 2FA, thus allowing said person to then change the Twitter account password. The ONLY account compromised is the Twitter account and it can't be put back "as it was", hiding the tracks of the hijacker so no, Twitter staff can't just pretend to be any account holder at a whim.
Biting the hand that feeds IT © 1998–2020