{"id":36378,"date":"2020-07-31T15:37:40","date_gmt":"2020-07-31T15:37:40","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/31448\/Twitter-Hack-Staff-Tricked-By-Phone-Spear-Phishing-Scam.html"},"modified":"2020-07-31T15:37:40","modified_gmt":"2020-07-31T15:37:40","slug":"twitter-hack-staff-tricked-by-phone-spear-phishing-scam","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/twitter-hack-staff-tricked-by-phone-spear-phishing-scam\/","title":{"rendered":"Twitter Hack: Staff Tricked By Phone Spear-Phishing Scam"},"content":{"rendered":"
\"A Image copyright<\/span> Reuters<\/span> <\/span> <\/figure>\n

The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.<\/p>\n

Spear-phishing<\/a> is a targeted attack designed to trick people into handing out information such as passwords.<\/p>\n

Twitter said its staff were targeted through their phones.<\/p>\n

The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.<\/p>\n

The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam.<\/p>\n

It reportedly netted the scammers more than $100,000 (\u00a380,000).<\/p>\n

The attack has raised concerns about the level of access that Twitter employees, and subsequently the hackers, have to user accounts.<\/p>\n

Twitter acknowledged that concern in its statement, saying that it was “taking a hard look” at how it could improve its permissions and processes.<\/p>\n

“Access to these tools is strictly limited and is only granted for valid business reasons,” the company said.<\/p>\n

Not all the employees targeted in the spear-phishing attack had access to the in-house tools, Twitter said – but they did have access to the internal network and other systems.<\/p>\n

Once the attackers had acquired user credentials to let them inside Twitter’s network, the next stage of their attack was much easier.<\/p>\n

They targeted other employees who had access to account controls.<\/p>\n

<\/span> <\/figure>\n

Analysis<\/h2>\n

By Joe Tidy, cyber-security reporter<\/strong><\/p>\n

Twitter isn’t clarifying whether or not their employees were duped by an email or a phone call. The consensus in the information security community is that it was the latter. <\/p>\n

Phonecall spear-phishing, commonly known as vishing, is bread and butter for the sort of hackers who are suspected of this attack. <\/p>\n

The criminals obtained the phone numbers of a handful of Twitter staff and, by using friendly persuasion and trickery, got them to hand over usernames and passwords that gave them an initial foothold into the internal system.<\/p>\n