You may remember back in July when nearly fifty Twitter accounts were hacked and Jeff Bezos, Bill Gates, Kanye West and Apple – to name but a few – all asked us to send Bitcoin to a particular wallet. Supposedly, the generous donors would receive twice the Bitcoin in return. What an amazing deal that was, right? Except, of course, it wasn’t. Twitter soon explained to their customers what happened during this incident in a blog post. The company blamed the incident on social engineering, committed via phone spear phishing against their employees. Let us break these terms down for those that are often the ones most affected by these attacks.
Social engineering is the use of deception to trick the victim into divulging sensitive information, sometimes over the phone. That sensitive information could be a username and password for banking websites or a credit card number and the corresponding CVV number. In cyber security we have been seeing phishing attacks, which is a form of social engineering, land in email inboxes for many, many years. They are the type of emails that try to get you to click on a dodgy link in order to download malware onto your computer, or to send you to a spoofed login page where you enter your username and password. Spear phishing is a more direct, targeted phishing attack; the phishing email is tailored to a specific victim, often using personal information freely available online.
Now comes vishing. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about voice phishing (vishing) on August 20, 2020. The advisory defines vishing as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.” Slightly different wording, but Twitter’s incident in July appears to fit into this category of attack.
The particular vishing campaign that the advisory warns about started in mid-July. It would begin with a threat actor creating a web page that is similar to a victim company’s internal VPN login page. They would then compile as much personal data on that company’s employees as they can, using online sources including the company’s public posts, corporate and private social media accounts and background check websites. Using this information, the threat actor would then call the targeted employee, at times using a spoofed phone number appearing to be from within the company. The threat actor would use social engineering tactics to gain the trust of the employee and convince them to sign into the fake business VPN web page. At this point, they would steal the victim’s login credentials and gain instant access to the company’s internal network.
As far as we know, the incident at Twitter happened in a very similar manner. Specific employees were targeted over the phone using social engineering tactics. Some of these employees were deceived into providing their login credentials, but these initially targeted individuals did not have the needed permissions to use the account management tools necessary to access customer Twitter accounts. Therefore, the threat actors used the account credentials from the initial attacks to scour the internal network for more employee data and information. This then allowed them to launch secondary social engineering attacks on employees that did have the required account permissions.
These targeted social engineering attacks, be they named vishing or phone spear phishing attacks, demonstrate how determined threat actors have become and how vulnerable companies can be. Twitter themselves states in their blog post, “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems. This was a striking reminder of how important each person on our team is in protecting our service”.