Twitter continues to dig through the rubble following the epic Twitter hack that saw approximately 130 high profile Twitter accounts hijacked with Tweets distributing a Bitcoin trap for the unsuspecting.
Thank you for your continued patience and understanding while we investigate this incident. We’ll continue to provide updates when we have them.
— Twitter Support (@TwitterSupport) July 17, 2020
So far, Twitter is stating that no passwords have been compromised and it appears the breach was due to a sophisticated social engineering plot.
KrebsonSecurity posted yesterday that they believe the nefarious acts are due to hacker accounts known as “Chaewon” and account called Shinji as well as “PlugWalkJoe.” All of the preceding may be SIM Swap hackers.
To quote Krebs:
“There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping,” an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.
People within the SIM swapping community are obsessed with hijacking so-called “OG” social media accounts. Short for “original gangster,” OG accounts typically are those with short profile names (such as @B or @joe). Possession of these OG accounts confers a measure of status and perceived influence and wealth in SIM swapping circles, as such accounts can often fetch thousands of dollars when resold in the underground.
In the days leading up to Wednesday’s attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers — a forum dedicated to account hijacking — a user named “Chaewon” advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.”
The Shinji account was tweeting out screenshots of Twitter’s internal tools.
Krebs points a finger at a specific individual, identified by an alleged insider in the mobile industry:
“The mobile industry security source told KrebsOnSecurity that PlugWalkJoe in real life is a 21-year-old from Liverpool, U.K. named Joseph James Connor. The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year. He added that PlugWalkJoe has been unable to return home on account of travel restrictions due to the COVID-19 pandemic.”
The KrebsonSecurity write up is excellent and you should read it if you have a minute.
SIM Swap scams have been used to pilfer dozens, if not hundreds, of cryptocurrency accounts. The ploy is to take over an individual’s mobile phone and then trigger a password reset. Due to 2 Factor authentication, the perp receives the code and resets the password of the unsuspecting target. Once the account is hijacked, the criminal siphons off all of the funds in crypto accounts.
Perhaps the best-known target of a SIM Swap hack is Michael Terpin who saw tens of millions of dollars stolen in an attack. Terpin is now suing AT&T Mobility as well as an alleged perpetrator.
Crowdfund Insider also received some comments from several crypto-industry insiders.
Konstantin Richter, CEO of Blockdaemon, said that as 2 Factor authentication was enabled and defeated, this raises serious questions regarding their system:
“Cryptocurrency scammers that are looking to make cash fast should be a warning beacon to other hackers that could do a lot more damage with more drastic consequences. It is speculated that the hacker(s) gained access to the so-called “God Mode” system used to administer Twitter accounts on the platform. The access could have been through a platform exploit or a social engineering attack on a Twitter employee. Either way, it’s clear that building secure software systems is a challenge, and developers and system owners need to be hyper aware that the systems they build may be used for malicious intent due to bugs, social engineering hacks or rogue employees. It’s of the utmost importance that these systems have strict access controls and are thoroughly audited for potential vulnerabilities.
Many crypto scams circulate on social channels but are spotted easily because they appear to be spam. Since the industry is still in its infancy, many can be tricked because they want to participate. Since this scam hit a wider audience that may not be as familiar with cryptocurrency through verified twitter users, it was more believable.
Seeing how widespread and high profile scam was, the damage was relatively small compared to what kind of chaos could be unleashed. With pending presidential elections less than 4 months away, a pandemic with many unknowns, and tensions increasing in various regions, it is vital that Twitter set up additional security measures, and also publicly share a breakdown of what happened to assure users and prevent it from happening again.
One of the preventative measures Twitter deployed during the hack resolution was restricting the ability to tweet from specific high profile accounts. This action raises the concern that at any point Twitter has the ability to silence an individual account. It once again shows us that we do not truly own our profiles and “God Mode” features show us that employees may have access to the data that we own. “De-platforming” or silencing an account is a real threat and it further shows that we need the ability to take control of our online identity, data and voice. Decentralised systems are the best shot we have at achieving this.”
“The high profile tweets were more likely a distraction from something on a larger scale – mass data theft for example. It was quite obvious early on that this wasn’t a targeted sim swap or API type hack, and many of the verified users that were targeted would likely have strong Operations Security (OPSEC) enabled. It was always more likely to be a zero-day attack or internal access exploit from someone within Twitter, the latter now being confirmed as the source by Twitter. This hack further reinforces the case for migrating to Nemlog or Hive’s blockchain-powered social platforms and using messaging apps like Signal as opposed to the less secure centralized counterparts that have admin backdoors with control over their users. Centralised systems with a single failure point will continue to be exploited again to the detriment of its users. ‘Not your keys, not your account’ applies as equally to your data as it does to your funds.”
Hopefully, soon, Twitter will reveal all the dirt on the exploit and processes will be updated and new protocols introduced. What should be clear by now is that 2 Factor authentication can become a digital skeleton and only utilized with a separate authentication service (like Authy).