Phishing for Bitcoin: The Twitter Hack Masterminded by a 17 Year Old

The weakest link in all of security is the human being.

This was the method used in the latest Twitter attack which exposed multiple high profile accounts and Direct Messages sent. Several Twitter employees received phone-based spear phishing attacks.

If you are unfamiliar with the term, a spear phishing attack is a precisely targeted phishing attack to accomplish a specific goal, in this case, to compromise Twitter accounts.

Once the attackers had successfully phished some of the Twitter employees, which gave them the ability to pivot internally to observe the internal system processes and were able to discover user accounts that had access to the account support tools and utilize those logins to compromise 130 Twitter accounts.

The attackers used 45 of those accounts to scam the followers of those accounts out of $117,000 of bitcoin. The attackers also accessed the direct messages of 36 accounts and downloaded all the Twitter data from 7 accounts. The attackers then posted from accounts such as Jeff Bezos, Barack Obama, Elon Musk, Michael Bloomberg and Warren Buffett offering to double the amount of bitcoins they receive. The tweets garnered approximately 13 bitcoin over 383 transactions in a 24 hour period.

The evidence indicates that these attackers are traditionally specialized in hijacking social media accounts via SIM Swapping.

Typically, the SIM Swapping community focuses on taking over OG accounts, which are typically accounts with short profile names such as @6, @jack, etc. Leading up to the attack, there was evidence that some in the SIM swapping community were offering up the ability to change the email address to any Twitter account for a fee and could provide direct access to accounts for a higher fee.

The internal support tools and Twitter admin access by itself doesn’t give an attacker the ability to just breach any account they want. The tool does give Twitter employees the ability to help users who have been locked out of their account. The account still has to go through the normal password reset process, sending an email to the user of the account.

However, the admin access also gives the Twitter employee or attacker the ability to change the associated email with the account and revoke 2FA settings. The attackers would change the associated email address, turn off 2FA, then send a password reset.

When an email is changed within the Twitter support admin console, no notification is sent to the user, providing the attackers the ability to redirect the password reset to an email of their choosing. With 2FA disabled, the owner of the account is completely unaware of the change. The caveat being if there is also a phone number associated with the account, as the researcher Lucky225, who controls Adrian Lamo’s old accounts discovered.

This is a challenge many companies face as once an attacker gets internal access with proper credentials, they can, for the most part, disappear. The only way to find an attacker internally is to have excellent visibility tools and an advanced AI that can recognize normal communications within an organization and can bubble-up anomalous behavior.

MixMode’s advanced, third-wave Artificial Intelligence was designed to find anomalous behavior that otherwise would blend in with normal traffic, allowing a company to quickly and easily pin down anomalous behavior through network data and cloud data, reduce false positives, and minimizing the amount of dwell time a hacker has if and when they gain access to internal systems.