Twitter just suffered the biggest cyber-attack in its history. But is it being set up for something bigger?
When a Twitter employee or employees—wittingly or unwittingly, it is still not clear—provided hackers with access to the company’s internal computer dashboard, they gave hackers a window to hijack dozens of prominent Twitter accounts to launch a Bitcoin scam.
“Many attackers do this, they make a lot of noise in one area, and then, they slip through the back door somewhere else. Was this a one-time event? Or were they able to plant something where they can come back six months later?”
Jose Ramos, Senior Principal Consultant, ACA Aponix
Scammers convinced Twitter users to send more than $100,000 worth of Bitcoin to a fake account, using the accounts of prominent politicians, businesspeople, and entertainers, including former Vice President Joe Biden, former President Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Kanye West, and Kim Kardashian West.
While the cyber-attack didn’t actually drain money away from Twitter, the company’s reputation took a hit, the FBI launched an investigation, and its stock priced dipped. On Thursday, the Treasury Department’s Financial Crimes Enforcement Network issued an advisory for financial institutions on the scam. While only generating about 10 percent of the world’s daily social media traffic, Twitter has an outsized influence on national and world events because so many prominent newsmakers use the platform regularly (ahem, @realDonaldTrump). The damage could come later, if Twitter’s cyber-security vulnerabilities lead users to question the authenticity of the tweets they read.
“Are people going to second-guess if their account has been hacked? Are they going to wonder what information is being put out by these high value accounts?” asked Jose Ramos, senior principal consultant for ACA Aponix, a division of ACA Compliance Group, a cyber-security and risk consultant. “This attack has put Twitter in a bad light.”
Ramos said he cannot be sure but suspects Wednesday’s hack was a smokescreen for something bigger.
“Many attackers do this, they make a lot of noise in one area, and then, they slip through the back door somewhere else,” he said. “Was this a one-time event? Or were they able to plant something where they can come back six months later?”
This is not the first time Twitter has had security issues. Last year, hackers briefly took over CEO Jack Dorsey’s account, and in 2017, a Twitter employee briefly deleted President Donald Trump’s twitter account. This hack is the latest and the largest.
This week’s successful attack on Twitter used spearfishing, where specific employees were targeted by hackers to gain access to an organization. The hackers reportedly bragged about their tactics to Motherboard, a blog on Vice, an online news website.
“The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard,” the story said.
Spearfishing is one kind of social engineering cyber-attack, according to Webroot, a cyber-security vendor.
“Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software—that will give them access to your passwords and bank information as well as giving them control over your computer,” Webroot wrote in a blog item.
Robert Tharle, head of fraud strategy at NICE Actimize, a financial crime and compliance vendor, said social engineering attacks “can wreak havoc on an organization, causing reputational and financial damage.” Small firms are just as vulnerable as larger ones, he said.
“While the Bitcoin scams here have victims, these weren’t the most sophisticated, but we are seeing these types of attacks every day, across the globe, costing billions of dollars. These have increased due to COVID-19,” he said.
Takeaways from the Twitter hack
First, it’s beyond late to get proactive with your cyber-hygiene. According to the Cyber Threat Alliance, a group that facilitates information sharing among cyber-security professionals, start by tightening up cyber-security protocols with remote workers.
Then, don’t make the mistake of assuming all cyber-attacks come from outside your organization. So many companies overemphasize external attacks and overlook risks associated with attacks from within, Ramos said.
Start by learning about how vulnerable your internal controls are. That can be done with internal penetration testing, in which a consultant tests and evaluates your internal controls, assesses them for vulnerabilities, and recommends solutions.
Gidi Cohen, CEO of Skybox Security, a cyber-security and compliance vendor, says companies should apply ”the principle of least privileges, limiting access to only those who absolutely need it, and monitoring to ensure access policies continue to be adhered to as the network lives and breathes. It limits the risk of who can be manipulated or exploited for the cyber-criminal’s gains.”
In the case of the Twitter hack, each employee that has access to this internal tool should be asking a supervisor for permission each time they access it. These access points should be continuously monitored to determine which employees are accessing them, Ramos said.
If a cyber-attack occurs, bring in a forensics team that can track all the places a hacker moved through your system—to determine not only what they stole, but what they left behind.
“You don’t want to let them easily get back into your system,” Ramos said.
Ramos said he would not recommend monitoring the employees themselves, due to privacy concerns. Instead, create a robust monitoring system that watches access points to key control systems. The system should fire off an alert if the access point is improperly accessed—be it from an outside attack or from an unauthorized employee.
There are lots of great tools that can monitor your system for possible attacks.
“Education of users and up-to-date security policies play a key part in preventing these attacks,” Tharle said, “but utilizing data and machine learning to detect unusual transactions at banks and payment providers can help reduce the losses and impact on businesses and consumers.”