The content of the article
In mid-June 2020, Twitter suffered the largest attack in its history. Understanding what is known about the hack, as well as examining court documents that shed light on how the suspects in this attack were arrested.
In mid-June 2020, Twitter suffered the largest attack in its history. Many accounts of public people, companies, and cryptocurrency exchanges have been compromised. So, among the victims were: Bill Gates, Elon Musk, Jeff Bezos, Joe Biden, Barack Obama, Warren Buffett, Kanye West, Kim Kardashian, Apple and Uber, the largest cryptocurrency exchanges CoinDesk, Binance and Gemini.
The attackers used the gained access to the top accounts in a very strange way: they announced an attraction of unheard-of generosity and arranged a fake distribution of bitcoins. The scammers acted according to the classic scam scheme: on behalf of famous people and large companies, they asked to send them a small amount of cryptocurrency, promising to double and return any amount received.
Paradoxically, even in 2020, there were many people who believed that Bill Gates, Elon Musk and other well-known companies and personalities suddenly began distributing bitcoins. As a result, in this way the scammers "earned" about 13 BTC, that is, about 120 thousand dollars.
Moreover, there could have been more victims if large cryptocurrency exchanges had not blocked the attackers in a timely manner. For example, the Coinbase exchange prevented 1,100 of its clients from transferring 30.4 BTC – about 280 thousand dollars at the current exchange rate. Only 14 Coinbase users managed to send cryptocurrency to the address of the scammers (for a total of about $ 3,000) before experts blacklisted it.
Other exchanges, including Gemini, Kraken and Binance, also reported that they blocked funds transfers to the hackers' wallet, although their users made far fewer transaction attempts than Coinbase users.
As of early August, the attack is known to have affected a relatively small number of accounts. The hack affected only 130 accounts, and 45 of them were successfully reset passwords – on behalf of these accounts, the attackers posted fraudulent messages.
For seven more accounts, the attackers downloaded all available account content using the Your Twitter Data function. Interestingly, none of these seven accounts were verified (had no blue checkmark).
The cybercriminals also looked at the private messages of the owners of 36 compromised accounts. Moreover, one of these accounts belonged to an unnamed Dutch politician.
Twitter emphasized that attackers could not see previous versions of account passwords, since they are not stored in clear text and are not available through the company's internal tools. However, it was reported that hackers were able to view users' personal information, including email addresses and phone numbers, visible to some accounts.
How was it hacked?
It quickly became clear that the hackers did not take advantage of any vulnerability and did not bypass the two-factor authentication of accounts, but simply got to the Twitter admin panel, through which they managed other people's accounts. Moreover, messages with screenshots proving this theory began to appear directly on the day of the hack, but Twitter employees immediately deleted them, and those who published them were mercilessly banned (edited versions of screenshots can be seen below).
These screenshots clearly show that Twitter employees have the ability to control user accounts, including changing the email addresses associated with accounts and completely blocking accounts. In addition, the Search blacklist and Trend blacklist buttons directly indicate that company employees can determine which messages get into the search and trends of the platform and which do not.
On the rising wave of criticism and accusations of censorship, Twitter employees answeredthat the company never hid: not everything that users write can get into trends.
Only on July 30, 2020, two weeks after the incident, Twitter representatives officially confirmed that the attack on the social network was the result of the compromise of several company employees at once. It turned out that on July 15, 2020, scammers staged a phishing attack over the phone and used social engineering against employees.
When the credentials stolen from one of the employees prevented the hackers from accessing Twitter's internal tools, the attackers attacked other employees of the company who had the right rights and access.
“Not all of the attacked employees were authorized to use the account management tools, but the attackers used their credentials to access our internal systems and obtain information about our processes. This information allowed them to attack other employees who had access to our support tools, ”Twitter representatives write.
The Vice Motherboard suggested that "a coordinated social engineering attack on company employees" was a routine insider job. That is, according to the information of journalists and their anonymous sources, the hackers simply bribed a Twitter employee to gain access to the very administrative panel.
It's worth noting that similar incidents on Twitter have happened before. So, in 2017, one of the employees of the social network for some time deleted account US President Donald Trump, and in 2019 the US Department of Justice reportedthat two Twitter employees abused their access to spy for Saudi Arabia.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the "Xakep.ru" community.
Join the Xakep.ru community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of "Xakep.ru"