‘Twitter hack’ criminals targeted home working employees on a VPN connection

The ‘Twitter hack‘ in July, that let criminals access famous accounts, was caused after home working employees were tricked into handing over their login details.  

Verified accounts belonging to users such as Elon Musk, Apple and Joe Biden were used to share scam posts promoting the virtual currency Bitcoin during the hack.

Home working Twitter staff logged into the company network using a virtual private network (VPN) that lets you access work systems securely when out of the office.  

Hackers got hold of the phone numbers of Twitter staff and pretended to be from the company IT department – telling them to enter their VPN login to a fake page.

The criminals were then able to use these login details to get access to the real VPN site and finally into the full Twitter network where they could post as a verified user. 

Twitter CEO Jack Dorsey is seen above. He said a small number of employees were targeted with a phishing attack that led to the infamous hack.

Criminals posting Bitcoin details from 130 accounts, including verified profile with millions of followers allowed them to scam users out of $118,000 worth of Bitcoin.

The tweets offered to send $2,000 for every $1,000 sent to an anonymous Bitcoin address. The hack alarmed security experts because of the grave potential of such an intrusion for creating geopolitical mayhem with disinformation.

It is likely the hack attempt, which involved social engineering, worked because so many Twitter employees were working from home and VPN issues were common. 

An earlier report found that those involved in the hack were a group of teenage friends trying to gain access to so called ‘OG accounts’ – that is early adopter usernames with two or three characters as they’re valuable on the dark web. 

Twitter CEO Jack Dorsey said a small number of employees were targeted with a phishing attack that led to the infamous hack. 

The scheme commandeered Twitter accounts of prominent politicians, celebrities and technology moguls and scammed people around the globe out of more than $118,000 in Bitcoin

The scheme commandeered Twitter accounts of prominent politicians, celebrities and technology moguls and scammed people around the globe out of more than $118,000 in Bitcoin

Jake Moore, Cyber Security Expert at ESET, said remote working has increased the risk to companies, particularly as they don’t know who is on the ‘home network’.

‘Cyber security risks increased dramatically once the workforce went to remote working in their masses. Threat actors are impressive at adapting to new situations whilst searching for new vulnerabilities to exploit,’ he said.  

‘All too often, people play a vital role in carrying out attacks yet it can sometimes be simple to hack a human.’

The hackers will have conducted research in advance to identify basic functions and titles of Twitter employees so they could better impersonate the IT department.

This is part of the social engineering process. NYDFS found that the hackers used the phone calls to Twitter employees to learn more about the internet Twitter network. 

NYDFS decided to investigate the hack due to the Bitcoin link – with famous accounts used to promote Bitcoin and link to a specific Bitcoin wallet – as the organisation is responsible for regulating cryptocurrency companies. 

‘The implications of the Twitter Hack extend far beyond this garden-variety fraud,’ the NYDFS report claims. 

The attack affected high-profile accounts including former president Barack Obama

The attack affected high-profile accounts including former president Barack Obama

‘There are well-documented examples of social media being used to manipulate markets and interfere with elections, often with the simple use of a single compromised account or a group of fake accounts. 

‘In the hands of a dangerous adversary, the same access obtained by the Hackers – the ability to take control of any Twitter users’ account – could cause even greater harm.’ 

As well as the potential reputational damage caused by the hack, those involved walked away with over $118,000 worth of bitcoin and exposed the vulnerability in the massive social media platform that plays a role in communications and news.

The method of the hack also exposes vulnerabilities with the current coronavirus-linked home working push. 

The group posted ads on the forum OGusers.com offering to sell 'OG accounts' for bitcoin

The group posted ads on the forum OGusers.com offering to sell ‘OG accounts’ for bitcoin

Hank Schless, senior manager, security solutions at Lookout told SC Magazine that posing as the IT team puts attacks into a role with authority and credibility. 

‘Remote work increases the likelihood of success for the attacker because the target employee can’t walk down the hall to validate the communication with another member of the team,’ he explained. 

Jake Moore said an attack on this scale would be multi-levelled, with a range of techniques employed.

‘Posing as someone from the internal IT team clearly fooled those involved which highlights just how important constant vigilance and awareness is in all companies. 

‘We are seeing more and more high profile attacks of all sizes which acts as a reminder that cybercriminals will persistently look for cracks in the system.’

How the hacker’s ‘sloppy’ work covering their tracks made them easy to track 

The FBI were able to track down hackers who pulled off the largest Twitter breach in history because they were ‘extremely sloppy’ with how they moved their Bitcoin transactions around.

Authorities were able to obtain data about the Bitcoin addresses involved in the hack by analyzing blockchain – a ledger that records cryptocurrency transactions. 

They then traced the addresses to Coinbase – a digital currency exchange that stores Bitcoin. 

They had registered and verified their Coinbase accounts with their real driver’s licences, according to ZNET.  

One of them also used his home IP address, meaning investigators were able to easily trace his location. 

Furthermore, the alleged hackers did not move around the Bitcoin funds they received in a bid to throw detectives off the trail.  Such an act is known as ‘tumbling’, and is the digital equivalent of money laundering. 

Cybersecurity expert Jake Williams told The Associated Press that their efforts were ‘sloppy’.   

Twitter has officially stated that the hacker gained access to a company dashboard that manages accounts on July 15. 

He did this by using social engineering and spear-phishing smartphones to obtain credentials from ‘a small number’ of Twitter employees to break in to the internal systems. 

From there, the hackers targeted 130 accounts. They managed to tweet their bogus tweet from 45 prolific accounts. 

They also accessed the direct message inboxes of 36 others, and download the Twitter data from seven separate accounts. 

Leave a Comment