A social engineering attack enabled hackers to penetrate Twitter’s administrative systems and hijack high-profile accounts, illustrating the far-reaching impact of cybersecurity lapses.

Key points

  • Authorities are probing a Twitter hack that hijacked the accounts of top politicians and business leaders and posted fraudulent messages asking for cryptocurrency donations.
  • According to Twitter, the hack started with a social engineering attack that compromised administrative accounts.
  • The scam highlights the need for appropriate internal security controls, coupled with security awareness training to identify and prevent sophisticated social engineering attacks.

In one of the most extraordinary and high-profile cyberattacks ever made public, hackers on July 15 compromised Twitter’s administrative systems and hijacked the social media accounts of prominent politicians and business leaders. The attackers then used those accounts to masquerade as the victims and request donations in Bitcoin.

“I am giving back to the community,” they tweeted. “All Bitcoin sent to the address below will be sent back doubled!”[1] During the first 24 hours, the tweets reportedly pulled in more than 400 transactions worth over $121,000 in Bitcoin and Ripple, another cryptocurrency.[2]

Twitter said it was the victim of “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” The compromise enabled fraudsters to take control of these accounts and tweet on their behalf, the company said.[3]

The attack highlights the need for appropriate internal controls, as well as security awareness training to enable employees to identify and prevent sophisticated social engineering attacks, said Francis Gaffney, Director of Threat Intelligence at Mimecast. “Social engineering attacks are usually quite sophisticated, and can involve substantial pattern-of-life analysis, including research of the target to craft specific bespoke lures,” he said.

“Appropriately managed access controls for administrative or supervisory accounts can assist in preventing the escalation of privileges, or abuse of permissions, that this particular attack relied upon,” Gaffney added. “These need to change to prevent further successful attacks like this one, which can cause massive reputational damage for any company.”

Top Public Figures Targeted

The hackers used their administrative access to hijack the accounts of political figures such as former President Barack Obama, former New York City Mayor Michael Bloomberg and presidential candidate Joe Biden. The cybercriminals also hacked the accounts of corporate figures including Tesla CEO Elon Musk, Amazon CEO Jeff Bezos, Berkshire Hathaway founder Warren Buffett, Microsoft founder Bill Gates and the corporate accounts of Apple and Uber. [4]

In a statement, Twitter said it locked down the affected accounts and removed the tweets.[5] The company also said that internally, it had taken significant steps to limit access to internal systems and tools while it investigated the problem.

However, while the platform was carrying out its investigation, it also froze other accounts that were not compromised. As a result, some influencers, celebrities and other users of the social network were prevented from tweeting or changing their passwords.[6] Twitter said it regained control of the compromised accounts within two hours, acknowledging that the disruption caused by the freeze was significant but “an important step to reduce risk.”[7]

The attack raised the hackles of a number of Twitter users, including some who questioned why Twitter employees apparently had access privileges that enabled attackers to take over user accounts and use them to send tweets.

Further complicating the picture of how the attack may have unfolded, Vice News reported that it had communicated with two of the cybercriminals, one of whom said a Twitter insider had not only facilitated access to the system but had also been paid.[8]

Fallout Includes Reputational Damage

The potential for additional reputational damage was highlighted within hours of the Twitter hack, when the FBI was reported to be investigating the hack.[9] New York Governor Andrew Cuomo announced that the state’s Department of Financial Services will investigate, too. 

"The Twitter hack and widespread takeover of verified Twitter accounts is deeply troubling,” Cuomo said, noting it “raises concerns about the cybersecurity of our communications systems, which are critical as we approach the upcoming presidential election.”[10]

Security Awareness Training is Key

The episode shone a spotlight on the dangers of social engineering attacks, as well as the potential impact of insider threats—whether unintentional or deliberate. 

As Mimecast’s Gaffney pointed out, social engineering attacks can be extremely sophisticated and carefully researched, and are mostly carried out for financial gain. “The threat actor studies the target’s online presence, including their use of social media, to identify social and family networks, favorite restaurants, hobbies, sporting or musical interests,” he said.

The Mimecast State of Email Security 2020 survey found that 60% of companies have experienced an increase in impersonation fraud, which use social engineering methods, over the last year.[11] “Human error is required for these attacks to be successful, which highlights the importance of regular cyber awareness training to increase employees’ knowledge about the methodologies used by threat actors,” said Gaffney.

However, many companies are leaving themselves vulnerable, he added. Among companies surveyed by Mimecast around the world, 55% do not provide awareness training on a frequent basis, and only 21% of companies offer monthly training.

The Bottom Line

The Twitter hack illustrates the far-reaching repercussions of cybersecurity lapses. Social engineering attacks can cause serious problems for even the most technologically sophisticated companies, highlighting the need for appropriate internal controls combined with effective security awareness training.  

 

[1]Twitter Accounts of Notable Users Hacked in Bitcoin Scam,” New York Magazine

[2] “Twitter hackers who targeted Elon Musk and others received $121,000 in bitcoin, analysis shows” CNBC.com

[3] Statement from Twitter

[4]Twitter Accounts of Notable Users Hacked in Bitcoin Scam,” New York Magazine

[5] Statement from Twitter

[6] Twitter statements

[7] Twitter statements

[8] “Hackers convinced Twitter employee to help them hijack accounts,” Vice

[9] “Exclusive: U.S. FBI is leading an inquiry into the Twitter Hack, sources say,” Reuters

[10] “Governor Cuomo directs state to conduct full investigation of Twitter hack,” NY press release

[11] “The State of Email Security 2020,” Mimecast

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Cyber Awareness Training Helps Defend Users from Brand Spoofing Attack…

Users may be more likely to fall for phi…

Users may be more likely to fall for phishing emails that ap… Read More >

Megan Doyle

by Megan Doyle

Contributing Writer

Posted Jul 06, 2020

Creative Hiring Can Help Solve the Cybersecurity Skills Shortage

Hiring people from non-traditional backg…

Hiring people from non-traditional backgrounds may help you … Read More >

Sam Greengard

by Sam Greengard

Contributing Writer

Posted May 28, 2020

Mimecast Discovers “3D Office Exploiter,” a Remote Code Execution Vuln…

New Mimecast research demonstrates how C…

New Mimecast research demonstrates how CVE-2020-1321 potenti… Read More >

Matthew Gardiner

by Matthew Gardiner

Principal Security Strategist

Posted Jul 10, 2020