Phone spear phishing allowed hackers to gain Twitter employee credentials

Twitter has released additional information on their investigation into the compromise that occurred on July 15, 2020. The attack, says the company, started with a spear phishing attack on a select group of employees that "relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to [Twitter's] internal systems."

The hackers allegedly compromised over 100 social media accounts and scammed both the account users and others who sent money based on their fraudulent solicitations.

On July 31st, the US Department of Justice announced three individuals had been charged for their alleged roles in the Twitter hack. Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, in the United Kingdom, was charged in a criminal complaint in the Northern District of California with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer. Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida, was charged in a criminal complaint in the Northern District of California with aiding and abetting the intentional access of a protected computer. The third defendant is a juvenile. With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile. Pursuant to the Federal Juvenile Delinquency Act, the Justice Department has referred the individual to the State Attorney for the 13th Judicial District in Tampa, Florida.

Ray Kelly, principal security engineer at WhiteHat Security, a San Jose, Calif.-based provider of application security, points out that this incident demonstrates that social engineering is still a common method for attackers to gain access to internal systems. "The human is often times the weakest link in any security chain," Kelly says. "Proper employee training and employing services that test human susceptibility to social engineering attacks such as email spear phishing, phone calls and in-person attacks can be invaluable to help prevent the employee from being the security gap in any organization.”

Lisa Plaggemier, Chief Strategy Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education, notes, “The Twitter attack was a well-planned targeted voice phishing (vishing) attack. Employee training against these types of attacks is critical, and it can be tricky. When the attackers have done their research on the targeted individuals and used data gained in previous breaches, they can be extremely convincing over the phone. Employees, and the general public for that matter, have become accustomed to the obvious phone scans, like the IRS phone scam that was so pervasive a few years back. It was “spray and pray”, not targeted, and therefore relatively obvious to many people who knew to hang up."

But therein lies the problem," says Plaggemier. "Call it the Dunning Kruger effect, or just human nature – we think we’ll recognize these things easily, until we don’t, and then it’s too late. It’s critical in your employee training that you drive home just how much information is available about all of us, and how that can be used to create a spear attack. Over the years, I’ve seen a lot of businesses become complacent about their employee data – names, email addresses, job titles, phone numbers – because they couldn’t imagine how that kind of data could be used in an attack. The Twitter attack illustrates that risk.”

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, claims that what’s important to understand is that the Twitter employees that were originally targeted weren’t necessarily the ones with administrative access. "This means the attacker moved laterally and gained access to privileged credentials," says Schless. "Twitter’s report states the “[attackers] used their [employees’] credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.” Seeing that this was a two-step process shows that this was a sophisticated attack with a very specific plan of action. Since social engineering happens so frequently on mobile social media and messaging apps, we speculated that this occurred via mobile. Twitter’s update has confirmed this."

Schless cites a recent report, The State of Mobile Phishing report, which provides data on the frequency of users encountering mobile phishing attacks and the potential financial risk to organizations. The report breaks down a real-world mobile phishing attack on banking customers, and provides guidance on how to protect and detect against mobile phishing.

Schless notes, "There was a 37 percent increase in mobile phishing attempts with the rise of working from home due to COVID-19. Almost 4,000 individuals tapped the link for a mobile phishing campaign focused on stealing banking login credentials.For an organization with 10,000 mobile devices or more, the financial impact of a successful phishing attempt could be up to $35,000,000 per year. So, why target employees through their mobile devices?"

"It is more difficult to spot a phishing attempt on a mobile phone due to the smaller screen, the inability to see the full URL in the mobile browser, and lack of awareness on how to safely preview where a link is sending you before you tap it," adds Schless."Mobile devices exist at the intersection of our work and personal lives, a sophisticated attacker like the one behind this Twitter incident can leverage both work and personal channels to conduct their attacks. Mobile devices have become the primary target for phishing attacks - especially those that involve a level of social engineering."

Charles Ragland, security engineer at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “While Twitter states that internal tools are heavily audited and restricted for specific use cases, it goes to show that technical controls can't stop everything. Human vulnerability will always be a weak spot in any risk mitigation strategy. Implementing a culture of security awareness in the workplace can help reduce these risks. Train coworkers to be suspicious of emails or phone calls they aren't expecting, and have easy to follow policies in place to report incidents so that they can be appropriately investigated.”

Mark Rogan, DAST Manager, Vulnerability Verification Europe, at WhiteHat Security, a San Jose, Calif.-based provider of application security, says, “This attack,the latest in a long line of successful attacks resulting from the utilization of spear phishing attacks, sends a clear reminder to all companies of the importance of regular, robust security training for all employees. A chain is only as strong as its weakest link and, as proven, if an attacker can exploit that weak link they gain a foothold to compromise the entire system. Any employee that is not 100 percent on the origin of an email should always report it to their security department before taking any action.”

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.