![\"Computer](\"https:\/\/blog.trendmicro.com\/wp-content\/uploads\/2020\/07\/bitcoin-scam-300x169.jpg\")
<\/p>\n <\/p>\n
Twitter Hacked in Bitcoin Scam<\/b><\/p>\n
It started with one weird tweet. Then another. Quickly, some of the most prominent accounts on Twitter were all sending out the same message;<\/span><\/p>\n I am giving back to the community.<\/span><\/p>\n All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.<\/span><\/p>\n [- BITCOIN WALLET ADDRESS -]<\/span><\/p>\n<\/blockquote>\n Are Apple, Elon Musk, Barrack Obama, Uber, Joe Biden, and a host of others participating in a very transparent bitcoin scheme?<\/span><\/p>\n No. Of course, not. The question was whether or not individual accounts were compromised or if something deeper was going on.<\/span><\/p>\n These high profile accounts are prime targets for cybercriminals. They have a broad reach and even a brief compromise of one of these accounts would significantly increase a hacker\u2019s reputation in the underground.<\/span><\/p>\n That\u2019s why these accounts leverage the protections made available by Twitter in order to keep their accounts safe.<\/span><\/p>\n This means;<\/span><\/p>\n While it\u2019s believe that one or two of these accounts failed to take these measures, it\u2019s highly unlikely that dozens and dozens of them did. So what happened?<\/span><\/p>\n As with any public attack, the Twitter-verse (ironically) was abuzz with speculation. That speculation ramped up when Twitter<\/span><\/a> took the reasonable step of preventing any Verified<\/span><\/a> account from tweeting for about three hours.<\/span><\/p>\n This helped prevent any addition scam tweets from being published but also raised the profile of this attack further. <\/span><\/p>\n While some might shy away from raising the profile of an attack, this was reasonable trade off to prevent further damage to affected accounts and to help prevent the attack from taking more ground.<\/span><\/p>\n This move also provided a hint as to what was going on. If individual accounts were being attacked, it\u2019s unlikely that this type of move would\u2019ve done much to prevent the attacker from gaining access. However, if the attacker was accessing a backend system, this mitigation would be effective.<\/span><\/p>\n Had Twitter itself been hacked?<\/span><\/p>\n When imagining attack scenarios, a direct breach of the main service is a scenario that is often examined in depth. This is why it\u2019s also one of the most planned for scenarios.<\/span><\/p>\n Twitter\u2014like any company\u2014has challenges with its systems but they center primarily around content moderation\u2026their backend security is top notch.<\/span><\/p>\n An example of this an incident in 2018<\/span><\/a>. Twitter engineers made a mistake that meant anyones password could have been exposed in their internal logs. Just in case, Twitter urged everyone<\/b> to reset their password<\/span><\/a>.<\/span><\/p>\n While possible, it\u2019s unlikely that Twitter\u2019s backend systems were directly breached. There is a much simpler potential explanation: insider access.<\/span><\/p>\n Quickly after the attack, some in the security community noticed a screenshot of an internal<\/b> support tool from Twitter surfacing in underground discussion forums. This rare inside view, showed what appeared to be what a Twitter support team member would see.<\/span><\/p>\n This type of access is dangerous. Very dangerous.<\/span><\/p>\n Joseph Cox\u2019s article detailing the hack<\/span><\/a> has a key quote,<\/span><\/p>\n \u201cWe used a rep that literally done all the work for us\u201d<\/i><\/span><\/p>\n Anonymous Source<\/i><\/span><\/p>\n<\/blockquote>\n What remains unclear is whether this is a case of social engineering (tricking a privileged insider into taking action) or a malicious insider (someone internal motivated to attack the system).<\/span><\/p>\n The difference is important for other defenders out there.<\/span><\/p>\n The investigation is ongoing, and Twitter continues to provide updates via @TwitterSupport<\/a>;<\/p>\n Our investigation is still ongoing but here\u2019s what we know so far:<\/p>\n \u2014 Twitter Support (@TwitterSupport) July 16, 2020<\/a><\/p>\n<\/blockquote>\n Donnie Sullivan<\/span><\/a> from CNN has a fantastic interview with the legendary Rachel Tobac<\/span><\/a> showing how simple social engineering can be and the dangerous impact it can have;<\/span><\/p>\n What is \u201csocial engineering,\u201d you ask? @RachelTobac<\/a> showed me. pic.twitter.com\/TAw7FB1QPQ<\/a><\/p>\n \u2014 Donie O’Sullivan (@donie) July 16, 2020<\/a><\/p>\n<\/blockquote>\n If this attack was conducted through social engineering. The security team at Twitter will need to implement additional processes and controls to ensure that it doesn\u2019t happen again.<\/span><\/p>\n This is what your team also needs to look at. While password resets, account closures, data transfers, and other critical processes are at particular risk of social engineering, financial transactions are atop the cybercriminals target list.<\/span><\/p>\n BEC<\/a>\u2014business email compromise\u2014attacks accounted for $1.7 billion USD in loses<\/span><\/a> in 2019 alone.<\/span><\/p>\n Adding additional side channel confirmations, additional steps for verifications, firm and clear approvals, and other process steps can help organizations mitigate these types of social engineering attacks.<\/span><\/p>\n If the attack turns out to be from a malicious insider. Defenders need to take a different approach.<\/span><\/p>\n Malicious insiders are both a security problem and an human resources one. <\/span><\/p>\n From the security perspective, two key principles help mitigate the potential of these attacks;<\/span><\/p>\n Making sure that individuals only have the technical access needed to complete their assigned tasks and only that access<\/b> is key to limiting this potential attack. Combined with the smart separation of duties (one person to request a change, another to approval it), this significantly reduces the possibility of these attacks causing harm.<\/span><\/p>\n The other\u2014and not often spoken of\u2014side of these attacks is the reason behind the malicious intent. Some people are just malicious and when presented with an opportunity, they will take it.<\/span><\/p>\n Other times, it\u2019s an employee that feels neglected, passed over, or is disgruntled in some other way. A strong internal community, regularly communication, and a strong HR program can help address these issues before they escalate to the point where aiding a cybercriminal becomes an enticing choice.<\/span><\/p>\n Underlying this whole situation is a more challenging issue; the level of access that support has to any given system.<\/span><\/p>\n It\u2019s easy to think of a Twitter account as \u201cyours\u201d. It\u2019s not. It\u2019s part of a system that is run by a company that needs to monitor the health of the system, response to support issues, and aid law enforcement when legally required. <\/span><\/p>\n All of these requirements necessitate a level of access that most don\u2019t think about.<\/span><\/p>\n How often are you sharing sensitive information via direct message? Those messages are most likely accessible by support.<\/span><\/p>\n What\u2019s to prevent them from accessing any given account or message at any time? We don\u2019t know.<\/span><\/p>\n Hopefully Twitter\u2014and others\u2014have clear guardrails (technical and policy-based) in place to prevent abuse of support access and they regularly audit them.<\/span><\/p>\n It\u2019s a hard balance to strike. User trust is at stake but also the viability of running a service.<\/span><\/p>\n Clear, transparent policies and controls are the keys to success here.<\/span><\/p>\n Abuse can be internal<\/span><\/a> or external. Support teams typically have privileged access but are also among the lowest paid in the organization. Support\u2014outside of the SRE community\u2014is usually seen as entry level.<\/span><\/p>\n These teams have highly sensitive access and when things go south, can do a lot of harm. Again, the principles of least privilege, separation of duties, and a strong set of policies can help.<\/span><\/p>\n In the coming days more details of the attack will surface. In the meantime, the community is still struggling to reconcile the level of access gained and how it was used.<\/span><\/p>\n Getting access to some of the world most prominent accounts and then conducting a bitcoin scam? Based on the bitcoin transactions, it appears the cybercriminals made off with a little over $100,000 USD. Not insignificant but surely there were other opportunities?<\/span><\/p>\n Occam\u2019s razor can help here again. Bitcoin scams and coin miners are the most direct<\/b> method fo cybercriminals to capitalized on their efforts. Given the high profile nature of the attack, the time before discovery was always going to be sure. This may have been the \u201csafest\u201d bet for the criminal(s) to make a profit from this hack.<\/span><\/p>\n In the end, it\u2019s a lesson for users of social networks and other services; even if you take all of the reasonable security precautions, you are relying on the service itself to help protect you. That might not always hold true.<\/span><\/p>\n For service providers and defenders, it\u2019s a harsh reminder that the very tooling you put in place to run your service may be its biggest risk\u2026a risk that\u2019s often overlooked and underestimated.<\/span><\/p>\n In the end, Marques Brownlee<\/span><\/a> sums it up succinctly;<\/span><\/p>\n Don’t send Bitcoin to strangers.<\/p>\n \u2014 Marques Brownlee (@MKBHD) July 15, 2020<\/a><\/p>\n<\/blockquote>\n What do you think of this entire episode? Let\u2019s talk about it\u2014un-ironically\u2014on Twitter, where I\u2019m @marknca<\/span><\/a>.<\/span><\/p>\n\n
User Account Protections<\/b><\/h2>\n
Rumours Swirl<\/b><\/h2>\n
Occam\u2019s Razor<\/b><\/h2>\n
Internal Screenshot<\/b><\/h2>\n
\n
\n
Social Engineering<\/b><\/h2>\n
\n
Malicious Insider<\/b><\/h2>\n
Support Risks<\/b><\/h2>\n
What\u2019s Next?<\/b><\/h2>\n
\n