Crucial to Know: The Twitter Spear-Phishing Attack on July 2020

Devious criminal schemes where the protagonists manage to pull off a near-impossible heist should remain in the realms of fiction. These are fun to read or watch only when such stories happen in a made-up world. However, exactly this kind of criminal stunt happened on 15 July 2020.

A group of hackers in their late teens or early twenties gained unauthorized access to at least forty-five high profile accounts, including the accounts of Jeff Bezos, Elon Musk and Barack Obama. This was done by gaining the credentials of a group of Twitter employees. Allegedly, these employees were bribed, otherwise some suggest that they were coerced or hacked.

The hackers later tweeted a message to encourage the accounts’ followers to donate bitcoins to a link — a scam with a relatively small financial damage that rewarded them with $120,000.

This scam should not have been possible

Several underlying security weaknesses in the Twitter employee policy and systems were heavily compromised.

Firstly, the story unfolds to reveal that the Twitter employees have access to the social media’s internal support system in which a user’s email address can be changed, and in which the two-factor authentication can be switched off at will. This form of hacking bypassed an entire wall of security algorithms, simply by posing as the owner of the accounts — this easy backdoor-access seems like childsplay indeed.

Secondly is the fact that this social engineering attack happening simultaneously across multiple accounts did not raise alarm fast enough for Twitter’s system to detect that something was amiss. The attack happened for just a few hours, and the hackers did not intend to walk off with more money than they got. Yet many would agree that it could have been worse — way worse.

Phishing is caused by human error

Unfortunately, phishing can happen without the intention of a malicious internal member. In an organization with hundreds of employees, it is unlikely that everyone is aware of possible phishing attacks every moment that they are accessing the company system.

Phishing hackers for example can create fake log-in pages that have an uncanny resemblance to what the employees are used to seeing. Busy work schedules will likely make the employees unaware that something is out of the ordinary.

One hacked user account is potentially enough to incite further damage to brands, communication or trust among employees or customers through social engineering. It is thus crucial to constantly educate internal members to not be fallible against the increasingly frequent phishing attacks.

At Xynexis, although our security and penetration testing has helped many companies to patch weaknesses in system security, it is not enough to focus on technical cyber defense. Learning from Twitter’s mistakes and countless phishing victims, we encourage organizations to hold periodic sessions that educate employees and train their cyber security awareness. This can be done through Xynexis IGNITE training facility.

To learn more about cyber security awareness, visit Xynexis IGNITE.