Just pirates who burn a day like it’s an incendiary sale
Imagine getting the keys to the Twitter kingdom – accessing all of the account admin panels in the world. What would you do? You can grab high value accounts and sell them on the black market. You can extract blackmail material of unimaginable value from DMs. Or maybe you would wait for an event like the next US election to launch some evil plan.
But if you’re a seasoned attacker, you won’t blow your own cover by tweeting from the world’s biggest accounts – for a Bitcoin scam. Of course, some have postulated that the cryptocurrency spam tweets were a distraction from something bigger going on in the background. Maybe the attackers have already done their sneaky tricks and are ready to do what is called “burn your 0day”.
And boy, did they burn this very good day hot, shiny, and fast.
We have detected what we believe to be a social engineering attack coordinated by people who have successfully targeted some of our employees with access to internal systems and tools.
– Twitter support (@TwitterSupport) July 16, 2020
Twitter’s response – a worrying five hours later – was to do something few people knew the company had the power to do: lock down all verified accounts around the world. Unfortunately, it comes down to finding out that a burglar is in your house because they have started playing music in your living room, and your response is to turn off all the lights.
Apart from freezing the “blue checks”, it is actually worse, as many essential emergency services around the world use Twitter as their essential communication channel. Like the National Weather Service, which suddenly found itself impossible to tweet weather warnings.
Freezing accounts appears to be a decision ruled by panic. Twitter seemed to have no idea what was going on or how to stop it. And wow, do we have any questions about the who, what, why, and the future implications of all of this.
Blue checks trying to communicate via retweets pic.twitter.com/FIbBmWH4j8
– Andrew Roth (@RothTheReporter) July 15, 2020
In a tweet thread Posted during and after the hack attack, Twitter wrote: “We detected what we believe to be a social engineering attack coordinated by people who successfully targeted some of our employees with access to internal systems and tools . “
Freezing the verified account also had an impact on the ability of these users to reset their passwords.
We know they used this access to take control of many highly visible (including verified) accounts and tweet on their behalf. We’re looking at what other malicious activity they may have been carrying out or what information they may have accessed and will share more here as we have it.
– Twitter support (@TwitterSupport) July 16, 2020
Twitter framed the thread with a disclaimer that its investigation is “ongoing.”
Don’t worry, rich celebrities will be fine
Compromised accounts included Jeff Bezos, Bill Gates, Elon Musk, Bill Gates, Barack Obama, Apple, Kanye West, Joe Biden, Uber, Mike Bloomberg, Floyd Mayweather, Wiz Khalifa and others. Twitter updated its support thread for incident reports Thursday night to say that 130 accounts affected by attack.
From what we know at this time, we believe that around 130 accounts were targeted by the attackers in one way or another as part of the incident. For a small subset of these accounts, attackers were able to take control of the accounts and then send Tweets from those accounts.
– Twitter support (@TwitterSupport) July 17, 2020
The problem is, the tweets looked normal to anyone following Kanye or Elon Musk, who are essentially tweeting Crazy claptrap à la John McAfee regularly, and a significant number of people have fallen for the scam. Like us reported yesterday, the haul was about $ 118,000 and “At the time of writing, all but $ 114 of that $ 118,000 haul has been transferred to other wallets.”
It’s a pittance, especially when according to Glassdoor, the lower end of what most Twitter engineers earn $ 131,403 per year. It was an intrusion with enormous impact, the potential for extreme reach, and serious damage.
You assume the attackers wanted more than what it takes to eat and sleep in the poor areas of San Francisco. But again, even though the attack started with a slightly different Bitcoin scam, the perpetrators immediately went public, guaranteeing they would be discovered and shut down immediately.
Of course, a very strong possibility is that the attackers were really, really bad at crime.
Many observers immediately assumed that these high-level accounts must have lax security standards or not have two factors activated. However, Reuters reported that “several users with two-factor authentication – a security procedure that helps prevent break-in attempts – said they were powerless to stop it.”
Motherboard got an anonymous comment from sources on Twitter, which stated that account takeovers were done through access to an internal account management tool; Vice posted screenshots of the tool (while anyone on Twitter posting the same screenshots got jailed on Twitter very quickly).
If Twitter was trying to stop the dissemination of these images, it is the Internet after all. They spread quickly on news sites and forums. The screenshots banned by the hack revealed the presence of “blacklist” buttons on individual account pages. Many now want to know, is this shadowban and blacklist proof that we are seeing?
Twitter users who work in and around human sexuality have argued for years that they are “shadow banishedBy Twitter, the practice of silencing accounts by hiding them in different ways. It was only recently that far-right conspiracy theorists co-opted the shadowban concept to “play the [censorship] refs ”in their favor. Now Twitter will be faced with some straightforward questions it has struggled with avoid confronting head-on.
When contacted to comment on the “blacklist” buttons displayed on account pages in Twitter’s compromised management tool, the company spokesperson did not directly respond to the question. Instead, they said by email: “Since July 2018 we specified that we don’t shadowban.
The Twitter representative included a standard listing of Twitter’s policy on inclusion and exclusion of Trends content, content awareness, hashtag exclusion policy for trending topics and search rules and restrictions.
A different source said Motherboard the allegedly compromised Twitter employee was paid for his participation in the low-rent bitcoin program. A Twitter spokesperson said Motherboard that the company is still investigating whether the employee hijacked the accounts himself or gave the tool to hackers, ”Vice wrote.
It turns out that having unregulated cartoon crime currency and planetary internet chat policy had easily foreseeable drawbacks.
– Notice board (@Pinboard) July 16, 2020
Since the tool enabled account management, this confirmed early assumptions that attackers not only had the ability to change account emails and reset passwords, but also grant them access to direct messages (DM) of targeted users. This is a mind-boggling problem, considering that many people – including celebrities and politicians – don’t understand that Twitter DMs are not protected by end-to-end encryption and are not particularly secure.
Senator Ed Markey (D-MA) responded to exactly that in a statement saying that Twitter “must fully disclose what has happened and what it is doing to ensure that it does not happen again.” This was in addition to the fact that Senator Josh Hawley (R-MO) sent an angry letter to Jack Dorsey and that Senator Ron Wyden (D-OR) issued a similar statement, adding that “it is a vulnerability that has been going on for too long ”.
Interestingly, if the “vulnerability” in question was a paid employee – the vulnerability was human. This means that the attack was not necessarily as technical as it was a momentous feat of social engineering. Most likely, this would be a social engineering trade-off attack, in which the human vulnerability is offered something in return for the access, information, or credentials the attacker wants.
It is also plausible that the attacker used the pretext, impersonating someone with a legitimate need for access, relying on the victim’s trust and gullibility. (“No, I swear, I really need to enter that server cupboard. Another possibility would be bait, or a bait and switch in which the attacker could trick an employee into inserting a malicious USB drive or file into a computer to compromise it.
While this is certainly a huge black eye for Twitter, what might be more interesting to explore is what the attack tells us about who did it and why. This is something we will likely find out, based on my colleague’s excellent argument that bitcoin is not truly anonymous and that hiding the loot conversion trail is not trivial. Certainly not for the hackers who decided to turn what could have been the heist of the century into a goofy bitcoin and who haven’t even banned a single Nazi in the process.