back to article Twitter says spear-phishing attack hooked its staff and led to celebrity account hijack

Twitter has offered further explanation of the celebrity account hijack hack that saw 130 users’ timelines polluted with a Bitcoin scam. “The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” says a July 30 update to Twitter’s incident report. …

  1. Gordon 10 Silver badge

    Give us the method details!

    Its so importand that more details are posted on the methods that were successful. The right combo of content and circumstance can leave the best of us vulnerable to these sort of attacks.

    1. Louis Schreurs Bronze badge

      Re: Give us the method details!

      Me thinks this is not the only example of holding details undisclosed because of the shame about the undisclosed details.

      1. Anonymous Coward
        Anonymous Coward

        Re: Give us the method details!

        Agreed, the details of the Garmin attack spring to mind too.

      2. HildyJ Silver badge
        Facepalm

        Re: Give us the method details!

        It seems clear from the statements that this wasn't a sophisticated hack.

        The method was a phone call asking a lower level support person for credentials followed by more phone calls working their way up the support chain until they got the credentials they needed.

        It's no different from all the other phishing schemes we've read about except that this one was bitcoin oriented.

        They don't want to disclose more because they don't want to admit it was so easy to do.

    2. Anonymous Coward Silver badge
      Pirate

      Re: Give us the method details!

      brrring brrring

      brrring brrring

      "Hi, this is Barry from the Twitter IT department ( / development team / whatever). We're testing a new system and I'd like to get you to try it out."

      "Umm. OK then"

      "Yeah, just go to http://phishing.site and log in as normal. If you can test it out for a few days and then send us any feedback, that'd be great"

      "Will do. Thanks"

      1. Mike 125

        Re: Give us the method details!

        Barry's a great guy. And I like to help people. What's wrong with that?

      2. gnasher729 Silver badge

        Re: Give us the method details!

        Sounded more like "Hi, here is Johnny from the Apple IT department. I lost the login for our Twitter account and I might lose my job over it. Could you email me the details to my personal email johnny@phishing.com ? "

      3. Oh Matron! Silver badge

        Re: Give us the method details!

        Being addressed as mr lastname, firstname gets my spider senses tingling instantly

  2. Anonymous Coward
    Anonymous Coward

    Sounds like Twitter was seriously compromised

    Underpaid drones not paid to think

    1. Louis Schreurs Bronze badge

      Re: Sounds like Twitter was seriously compromised

      I feel a lot of people here on ElReg hold positions like the drones you mentioned.

    2. Gordon 10 Silver badge

      Re: Sounds like Twitter was seriously compromised

      I think the only think drone-like around here is an AC making that assumption on little evidence.

  3. Maximum Delfango
    Thumb Up

    Ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha!

    Ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ... ha! ha! ha! ha! ha!

    I have nothing more to add.

    ha!

    (except that).

  4. gnasher729 Silver badge

    I'll look at it in a positive way. There was a major security breach, but the total damage was some embarrassment to a few companies and people, a lot of embarrassment to Twitter, $130,000 or so lost by absolute idiots, $130,000 or so getting into the hands of scammers - who might have got the same amount as a reward if they had just told Twitter what they had done. And we can look to a significant improvement in terms of security at Twitter. Money well worth spent.

    Now can you imagine what damage could have been done with some real malice and intelligence.

  5. veti Silver badge

    Old story

    Compromise one lowly drone, then use their credentials (information, identity) to compromise a higher level drone. Keep going until you get to the level you need.

    Defence must be in depth. You can't maintain a strong firewall around everyone, because too much of the Internet would have to be inside it. But escalating through each level should become progressively harder (usually, in practice, it gets easier), and people with access to sensitive information need really solid security training.

  6. Anonymous Coward
    Anonymous Coward

    Stunned...

    I work for a security minded company that has, for the last 8 years, conducted it's own Phishing attempts internally. If you click on a linky, it's off to mandatory training you go.

    It's been so successful, it's turned the workforce, of around 120K, slightly cynical, to the point where they even question official missives, which in itself, has resulted in much better worded and branded emails

    The use of web conf apps and UC apps further adds to the security, with CLI being presented: I haven't had a phone on my virtual desk for at least 3 years

    TL;DR Twitter really needs to give itself a slap and hire some decent CSO to implement a strategy so this can be avoided in the future.

    I've even managed to train my 71 year old dad to be suspicious of nearly everything he receives, and now engages with spam phone calls just to waste their time

  7. WolfFan Silver badge

    Ah, phishie phishie...

    I recently got an email allegedly from Amazon. It stated that I didn’t have certain items filled in on my account, notably ‘business hours’ and an associated ‘business phone’. I was supposed to click here to update the account. They needed the info to ‘ensure delivery’. I found this to be quite interesting. In the first place, while I do have a business account, the email went to my personal account. In the second place, I’ve had that account for over two decades, and have had delivery problems exactly once in that time; Amazon sent a package to a similar address two states away. If they had had ‘business hours’ and a ‘business phone’ they still would have messed that up. In the third place, my personal account has had the delivery address changed three times, the last over a decade ago, in the time I’ve had it, and I was never asked about providing a ‘business phone’ or ‘business hours’ before. And, in the fourth place, there’s that whole ‘click here’ bit.

    I contacted Amazon, using the chat because it’s amazingly difficult to find a phone number for Customer Support. The guy on chat said that the email was legitimate, and that Amazon needed the info or they wouldn’t be responsible for missed deliveries. He had no idea what ‘phishing’ was. I insisted that there was a problem. He got someone to phone me. The girl on the phone had no idea what phishing was, either, insisting that the email was legitimate, but conceded that it was ‘optional’ for personal accounts.

    They have not the least clue. I wonder how many others have received similar emails and just clicked here. And how many of those didn’t actually get the email from Amazon.

  8. Saadyasree

    Interesting thread I am very happy to read all the comments thank you

  9. Danny 2 Silver badge

    Guess the arrested Tory

    Twitter used to just name suspects. Salmond certainly was. Now we have to join the dots.

    I bet £5 on Greg Clark, outraged of Tunbridge Wells.

    1. Danny 2 Silver badge

      Re: Guess the arrested Tory

      50 something, former minister, remainer, Kent MP, nice guy. Breadcrumbs that show anonymisation is futile.

      The police said the arrestee was in their 50s. Normally they'd say 52 even if they don't name them.

      There is another tech angle - Clark is a critic of Huawei.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020