Twitter Hijackers Used Well-Honed Fraudster PlaybookCustomer Service Representatives Have Long Been Targeted for Account Takeovers
The hijacking of more than 130 high-profile Twitter accounts last week is extraordinary in at least one respect: that it didn't happen sooner.
As online companies have improved their security protections to prevent account hijacking, attackers have looked for new ways to overcome those barriers. Many have turned to social engineering to gain an inside path, and Twitter says this is how attackers last week managed to hijack the accounts of multiple business executives, politicians and celebrities, including former Vice President Joe Biden, former President Barack Obama, Tesla CEO Elon Musk and Microsoft founder Bill Gates.
Although its investigation remains ongoing, Twitter says that the attackers "successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems, including getting through our two-factor protections."
By social manipulation, it's unclear if Twitter means that employees were tricked or rather - as some have suggested - if they may have willingly assisted the attackers (see: The Insider Threat: A Growing Concern).
A total of 130 accounts were targeted, Twitter says. Via Twitter's own internal tools, attackers were able to complete a password reset for 45 accounts, log into the accounts and use them to send tweets. Also, for up to eight non-verified accounts, Twitter says the attackers downloaded all of the information associated with the account using the "Your Twitter Data" tool, which would include direct messages and potentially sensitive information.
There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts.— Twitter Support (@TwitterSupport) July 18, 2020
Many of the seized accounts - including those for Obama, Biden, Musk and Gates - were then used to send tweets asking people to send bitcoin, in what was a very common-looking type of virtual currency scam.
As Twitter moved to lock down the problem, it froze numerous accounts, preventing many users from being able to tweet and/or to reset passwords, generating angry tweets from users in response.
Getting Inside Access
So how do attackers successfully pierce a well-resourced, billion-dollar company such as Twitter? Absent exploiting a software vulnerability, the answer is that they either need to trick an insider or recruit one.
Twitter hasn't specified if one or both of those specific tactics occurred. But Motherboard has reported that two sources who claim involvement in the attacks say that a Twitter employee was paid to help.
Recruiting an insider is a technique that has been long-used against telecommunication companies to hijack a phone number, also known as SIM swapping or SIM hijacking, says Allison Nixon, chief research officer at Unit 221B, a New York-based cybersecurity consultancy. SIM swapping or hijacking refers to the practice of transferring someone's phone number to another SIM card, often with the intention of capturing two-step verification codes sent by banks or other services, or resetting account passwords.
Last year, U.S. federal employees charged two former AT&T contractors and one Verizon employee with helping enable a SIM-swapping scheme aimed at compromising cryptocurrency accounts. The employee and contractors had allegedly been bribed (see: Alleged SIM Swappers Charged Over Cryptocurrency Thefts).
Large online and telecommunication companies often employ scores of employees to help their users resolve problems, such as being locked out of their account, Nixon says, and they're not well paid.
"There's a bit of an economic asymmetry here," Nixon tells Information Security Media Group. "You've got people who've got access to something with a black-market value that's way higher than their actual paycheck. So there will always be that tension even if people never break the rules."
Both insider recruitment and social engineering have been well-practiced by some users on a notorious forum called OGUsers, which is a marketplace and forum for a variety of digital goods. Also, OGUsers has previously been in the spotlight for SIM hijacking and SIM swapping scams. And last week, attention again turned to the forum, as early clues emerged there pointing to how the Twitter account takeovers might have taken place.
OGUsers: Again In Spotlight
OGUsers is hosted on the open web - anyone can register, and the site makes money from selling fraud-related tools and services.
As highlighted by security blogger Brian Krebs, screenshots emerged on OGUsers around the time of the Twitter account hijacking showing the tool that Twitter's customer service representatives use to change email addresses and reset accounts. Many screenshots were also posted to Twitter; most have been deleted.
A security expert who goes by the handle @Lucky225 recounted in a blog post how a separate account that he controlled - @6 - was taken over in the attacks. The @6 Twitter account formerly belonged to Adrian Lamo, who's known for having helped to report Chelsea Manning, the former U.S. Army analyst who leaked military documents to Wikileaks, to federal authorities. Lamo died in March 2018, and @Lucky225 writes that Lamo's father, Mario, has since allowed him to control most of Lamo's online accounts.
At some point - perhaps on Thursday - the @6 account was seized by someone else. @Lucky225 writes that it appears the internal Twitter tools allow an employee to change the email addresses connected with an account and then turn off two-step verification. The alert that the email address associated with an account has been changed goes to the new email address, which unfortunately means that a victim may remain unaware.
But if a phone number is associated with the account, an alert also gets sent over SMS to the number, which is how @Lucky225 discovered that Lamo's account had been hijacked. @Lucky225 says the @6 account was never used for the cryptocurrency tweet that appeared across the high-profile accounts. He believes there could be a group of people involved in the attack, possibly with differing intentions.
The OGUsers forum has been known as a marketplace for buying and selling stolen usernames. Short for "original gangster," OG names are desirable because they're short. Nixon says one-letter usernames are "the holy grail of the OG community."
That's in part what directed attention to OGUsers over the Twitter hack. @Lucky225 began tweeting about the @6 takeover, which preceded the flurry of cryptocurrency tweets from the high-profile accounts on Thursday, Nixon says.
"There are certain communities that care about this kind of thing [OG names], and it's not very many communities," she says.
Insider Recruitment: Growing Threat
The broader lesson for companies is that insider recruitment is an increasing threat. Professional gangs are starting to catch onto the techniques, which can include bribery and blackmail, Nixon says.
Twitter's travails point to the need for technology companies to take more steps to ensure employee administrator accounts are more secure, and also that they continue to train service reps to help detect and repel attempted recruitment by fraudsters, Nixon says.
Usually, successful recruitment will have been preceded by mass-messaging attempts, she says, so sharing information about such attempts remains critical to defending against them.
"We're going to see it grow and grow unless companies start to lock down insider recruitment," Nixon says. "It's just going to get worse and worse."
Executive Editor Mathew Schwartz contributed to this story.