BREAKING: Hillsborough State Attorney @AndrewWarrenFL announces arrest of 17-year-old Graham Ivan Clark in “Bit-Con” hack of prominent Twitter users including Bill Gates, former President Barack Obama and Elon Musk. pic.twitter.com/4kkeITvJ22
— Aaron Mesmer FOX 13 (@AaronMesmer) July 31, 2020
State Attorney Andrew Warren is quoted in multiple reports claiming:
“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here. This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that … “I want to congratulate our federal law enforcement partners—the US Attorney’s Office for the Northern District of California, the FBI, the IRS, and the Secret Service—as well as the Florida Department of Law enforcement. They worked quickly to investigate and identify the perpetrator of a sophisticated and extensive fraud.”
Earlier this month, Twitter was hacked with prominent accounts hijacked. Names like Apple, Uber, Elon Musk, Bill Gates, Joe Biden, Warren Buffet, and yes, even Kanye West, and more were targets of the scam. The tweets were quickly scrubbed but not before approximately $100,000 was pilfered.
The individual in question is said to be charged as an adult. Two other individuals are being reported as accomplices.
Allison Nixon, Chief Research Officer and Mark Rasch, Chief Legal Officer, at Unit 221B, a cybersecurity firm specializing in financially motivated cyberattacks, have published a blog post claiming the hack was part of a VPN phishing scam.
The two cybersecurity experts explain that the hacker would call an employee, perhaps spoofing a phone number and then direct them to a phish page mimicking an internal VPN portal belonging to the company. The target would be told to log into the “internal” corporate website which was really managed by the hacker and then the employee would be induced to enter their access information:
“In order to access the VPN, the legitimate employee was required to have multi-factor Authentication. Typically a user ID, a password, and then a pin which would only be sent to their secure cell phone. But as the victim was logging into the phish page and giving up their credentials and time-sensitive one-time-password, the hacker was simultaneously entering the same information on to the real corporate VPN. When the corporate VPN asks for a user ID and password, it would send the pin back to the employee. The employee did exactly what they were trained to do. They would put in the pin, the multi-factor authentication was passed to the hackers website and the hacker can capture that pin and enter it into their own access to the VPN. Multi-factor Authentication, defeated!”
Yesterday, Twitter posted an update providing some additional perspective on the “social engineering” that targeted a small number of employees via the spear phishing attack. The company acknowledged that the hack required the attackers to obtain access to both their internal network as well as specific employee credentials that granted them access to internal support tools.
The world is full of soft targets, explained the two cybersecurity experts.