A Great Example of Social Engineering

Come to Wyoming’s Cybersecurity Conference on October 5-7, virtual, mornings to find out more about social engineering. Galen Gough, IT Director for Jonah Bank, will be giving an interactive demonstration about social engineering. Find out what trampolines, kids and social engineering have in common! It will be entertaining!

And now a great example of social engineering towards Twitter employees by Chris Bonatti, President of IECA of Casper

High Profile Hack of Twitter Leverages High Profile Accounts

The world was stunned last month when, on 15 July, the Twitter accounts of several high-profile users were hacked. Accounts involved included those of Bill Gates, Jeff Bezos, Elon Musk, Joe Biden, and Barack Obama. The corporate accounts of Apple and Uber were also compromised. A total of 130 accounts were said to have been targeted. Some 36 of these accounts were then leveraged to launch a scam that aimed to induce people to remit Bitcoin transactions, with a promise to double their money. The scam traded directly on the reputations of the accounts used. The total amounts reported to have been extorted have varied, but the best estimate came from Bitcoin exchange, Binance, who analyzed the blockchain to identify a quarter of a million dollars worth of transactions associated with the scam.

The techniques used in the hack were diverse, but focused on a social engineering attack in which the attackers gained access to Twitter’s private Slack channel, where Twitter had pinned the credentials for administration tools that unlocked a so-called “god mode” interface. Twitter has not verified this, but former Twitter employees told members of the press that access control on such tools is quite lax, with as many as 1000 Twitter employees having access to the credentials. Later disclosures indicated that the hackers had also gained access to the private Direct Message (DM) channels of at least eight of the compromised accounts. This further raised the privacy hackles of high-profile users.

The intense coverage of this incident seemed to be spurred by the high-profile identities of the targeted accounts. Nonetheless, there are several long term security lessons that should be evident.

  1. Most cyber-attacks begin with a phishing email, but you must be alert for other forms of social engineering.
  2. Strong authentication is of no avail if it can be subverted via a backdoor management with “god mode”.
  3. Access to critical management tools should be highly restricted according to the rule of least privilege.
  4. Reputation too is an asset, that can be stolen or damaged by cyber-attackers.
  5. Even if you do not use Twitter, your reputation could be impugned by an account squatter.

Share:

Register to Receive the Tech Joke of the Week!

This Week's Joke:

How many programmers does it take to change a light bulb?

None, it is a hardware problem!

More Posts: