Incident Of The Week: The Infamous Twitter Attack And What Enterprises Can Learn From It

5 Lessons Learned From The Breach

Add bookmark

Seth Adler

[Records Exposed: 45 Verified Twitter Accounts  |  Industry: Internet  |  Type Of Attack: Internal/SIM Swapping/Social Engineering]

As Twitter continues its attempt to unravel the complexity and nuances of the attack, a broader story of SIM swapping and social engineering emerges.

The Facts:

On July 15 at around 3:00PM, several compromised high-profile Twitter accounts tweeted a message encouraging their audience to donate bitcoin to “the community.” A donation link was included. The hackers made off with about $120,000, small potatoes, considering, but the potential for worldwide destruction of the hack—no exaggeration—must not go unnoticed.

Forty-five verified Twitter accounts were compromised in total, including the accounts of Barack Obama, Elon Musk, Jeff Bezos, Michael Blumberg, Kim Kardashian, the official Apple account (whose first tweet ever was the scam tweet) and a Dutch politician. The direct messages of 36 out of the 45 accounts were also accessed. Astonishingly, despite promises over the years to do so, Twitter DMs aren’t encrypted.

In today’s political climate, where threats of war between politicians take place through Twitter and political and economic posturing quite literally changes the socioeconomics of the world, the damage that could have been done by accessing these direct messages is as obvious as it is frightening. The hack itself was quick and dirty, but the underlying implications serve as a warning to governments, enterprises, and perhaps most important, Twitter itself.

However, dare-say lucky for us, the actors behind the hack appear to be in their late teens and early twenties. As the story unfolds, it seems that the motivation behind the hack is street cred—or, more accurately, underground online community cred. To fully understand what that means is to understand the value of “OG Twitter handles,” how the messaging app Discord works, and the power of social engineering. At the risk of using two clichés at once, pulling back this curtain leads to a rabbit hole of epic proportions.

In order to stay on track, the rest of this article is focused on how the hack happened and what your enterprise can do to prevent something similar.

SIM Swapping

Sim swapping is a technique cyber criminals use to bribe, coerce, or hack internal employees into providing access to a specific individual’s mobile phone or social media account. In some instances, social engineering tactics are utilized. Social engineering is the psychological manipulation of employees to divulge such credentials. A spear phishing scheme that convinces an employee to reset a password by posing as the account holder is one example.

Related: Members Of U.S. Congress Seek FCC Assistance On Sim Swapping Rules And Education

In the case of the Twitter hack, it appears that an internal employee was paid—whether with the aforementioned street cred or monetarily is to be determined. First, the internal employee changed the email addresses associated with each account. Next, they turned off two-factor authentication, which sent an alert to the new email address now controlled by the hackers. From there, the hackers promoted their Bitcoin scam.

Lessons Learned:

Twitter learned the hard way that privileged access specifically or Zero Trust phiolsophically, is a necessity moving forward. That is, no employee should be permitted access to data, tools, or controls that fall outside of the scope of their job. Additionally, before privilege elevation, an employee should be required to formally request an access ticket that lays out what they need access to, why, and for how long. IT service management platforms can then systematically control and audit the approval process. It also works as a deterrent for internal malicious activity, as the employee is aware that their actions are being traced.

Related: CISO Perspectives: Zero Trust, Secure Access, And What’s Next

Taking things a step further, Twitter and other large organizations prone to these types of attacks may want to consider deploying an AI solution that follows user behavior and risk factors. A machine learning tool like this may be able to spot red flags such as an employee logging in from a different location or device or during an unusual time.

While the exchange of money is yet to be verified, there has been a recent uptick in SIM attacks and bribery since COVID-19. The Twitter attack will likely embolden other hackers to target internal employees who they deem vulnerable to the temptation of a cash payout. This threat isn’t exclusive to large enterprises either. MSBs are also at risk.

Quick Tips:

Especially during these economically difficult times, no one is immune from SIM swapping attacks and the general threat of social engineering and employee bribery. Here are a few quick tips to keep your organization safe:

  • Adopt a Zero Trust strategy
  • Monitor employee accounts for unusual activity
  • Enact an approval policy where employees must ask permission for certain tasks such as using file sharing websites or downloading large amounts of data
  • Provide ongoing training to employees on how to properly handle confidential information, the company’s data policy, and perhaps most important, the consequences for noncompliance.
  • As for Twitter, they promised to do better, pledging to enact some of the strategies in this article and adding, “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry.” 

Read More: Incident Of The Week