Give us the method details!
Its so importand that more details are posted on the methods that were successful. The right combo of content and circumstance can leave the best of us vulnerable to these sort of attacks.
Twitter has offered further explanation of the celebrity account hijack hack that saw 130 users’ timelines polluted with a Bitcoin scam. “The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” says a July 30 update to Twitter’s incident report. …
It seems clear from the statements that this wasn't a sophisticated hack.
The method was a phone call asking a lower level support person for credentials followed by more phone calls working their way up the support chain until they got the credentials they needed.
It's no different from all the other phishing schemes we've read about except that this one was bitcoin oriented.
They don't want to disclose more because they don't want to admit it was so easy to do.
brrring brrring
brrring brrring
"Hi, this is Barry from the Twitter IT department ( / development team / whatever). We're testing a new system and I'd like to get you to try it out."
"Umm. OK then"
"Yeah, just go to http://phishing.site and log in as normal. If you can test it out for a few days and then send us any feedback, that'd be great"
"Will do. Thanks"
Ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ha! ... ha! ha! ha! ha! ha!
I have nothing more to add.
ha!
(except that).
I'll look at it in a positive way. There was a major security breach, but the total damage was some embarrassment to a few companies and people, a lot of embarrassment to Twitter, $130,000 or so lost by absolute idiots, $130,000 or so getting into the hands of scammers - who might have got the same amount as a reward if they had just told Twitter what they had done. And we can look to a significant improvement in terms of security at Twitter. Money well worth spent.
Now can you imagine what damage could have been done with some real malice and intelligence.
Compromise one lowly drone, then use their credentials (information, identity) to compromise a higher level drone. Keep going until you get to the level you need.
Defence must be in depth. You can't maintain a strong firewall around everyone, because too much of the Internet would have to be inside it. But escalating through each level should become progressively harder (usually, in practice, it gets easier), and people with access to sensitive information need really solid security training.
I work for a security minded company that has, for the last 8 years, conducted it's own Phishing attempts internally. If you click on a linky, it's off to mandatory training you go.
It's been so successful, it's turned the workforce, of around 120K, slightly cynical, to the point where they even question official missives, which in itself, has resulted in much better worded and branded emails
The use of web conf apps and UC apps further adds to the security, with CLI being presented: I haven't had a phone on my virtual desk for at least 3 years
TL;DR Twitter really needs to give itself a slap and hire some decent CSO to implement a strategy so this can be avoided in the future.
I've even managed to train my 71 year old dad to be suspicious of nearly everything he receives, and now engages with spam phone calls just to waste their time
I recently got an email allegedly from Amazon. It stated that I didn’t have certain items filled in on my account, notably ‘business hours’ and an associated ‘business phone’. I was supposed to click here to update the account. They needed the info to ‘ensure delivery’. I found this to be quite interesting. In the first place, while I do have a business account, the email went to my personal account. In the second place, I’ve had that account for over two decades, and have had delivery problems exactly once in that time; Amazon sent a package to a similar address two states away. If they had had ‘business hours’ and a ‘business phone’ they still would have messed that up. In the third place, my personal account has had the delivery address changed three times, the last over a decade ago, in the time I’ve had it, and I was never asked about providing a ‘business phone’ or ‘business hours’ before. And, in the fourth place, there’s that whole ‘click here’ bit.
I contacted Amazon, using the chat because it’s amazingly difficult to find a phone number for Customer Support. The guy on chat said that the email was legitimate, and that Amazon needed the info or they wouldn’t be responsible for missed deliveries. He had no idea what ‘phishing’ was. I insisted that there was a problem. He got someone to phone me. The girl on the phone had no idea what phishing was, either, insisting that the email was legitimate, but conceded that it was ‘optional’ for personal accounts.
They have not the least clue. I wonder how many others have received similar emails and just clicked here. And how many of those didn’t actually get the email from Amazon.
50 something, former minister, remainer, Kent MP, nice guy. Breadcrumbs that show anonymisation is futile.
The police said the arrestee was in their 50s. Normally they'd say 52 even if they don't name them.
There is another tech angle - Clark is a critic of Huawei.