What do Kanye West, Jeff Bezos, Kim Kardashian, Wiz Khalifa, Barack Obama, Bill Gates, Michael Bloomberg and Elon Musk have in common?
Answer: on Wednesday 15 July, all their Twitter accounts issued suspiciously similar tweets urging followers to send quantities of Bitcoin to a particular web address, coupled with a promise that whoever was on the receiving end would return those sums doubled.
It seemed like the perfect get-rich-quick scheme: simply click on the link, commit your Bitcoin to the required destination, then just sit back and wait for the currency to roll back in, enhanced by a factor of 100%. It all looked too good to be true.
Which is precisely what it was.
The whole thing was a scam… and it wasn’t just those high-profile public figures and entrepreneurs whose accounts had been compromised. The Twitter feeds of cryptocurrency platforms Binance, Coinbase and Gemini were also hijacked – as were those of prominent non-financial corporates Apple and Uber.
Given the fame and followings of the affected people and organisations, combined with visibility among non-followers through likes and retweets, estimates have put the scam’s reach at around 350 million people.
On Thursday 16 July, Twitter CEO Jack Dorsey issued a deflated tweet saying: “Tough day for us at Twitter. We all feel terrible this happened. We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.”
Later that day, Twitter Support – the social network’s internal squad of trouble-shooters – published a thread of tweets providing further details, wrapped up in a bombshell.
It said: “Our investigation is still ongoing but here’s what we know so far: We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
It added: “We know they used this access to take control of many highly visible (including verified) accounts and tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
In a startling 16 July report, Motherboard – the tech arm of online culture journal VICE – revealed that it had spoken to two sources involved with the hack, one of which told the site: “We used a [Twitter] rep that literally did all the work for us.”
The second claimed that they had paid an insider to obtain systems access.
In all, Motherboard said, four sources close to – or inside – the underground hacking community had provided the site with screenshots of the internal user tool with which Twitter staff make technical changes to the platform’s service.
Two sources told Motherboard that the same control panel was used to change ownership of key ‘OG’ Twitter accounts – ie, those with handles consisting of only one or two characters – and facilitate the publication of the cryptocurrency scam tweets from the high-profile feeds.
Indeed. And that would be alarming enough, were it not for further, recent hacking incidents – this time, with serious implications for public health.
On 17 July, UK security minister James Brokenshire told BBC Radio 4’s Today programme that the National Cyber Security Centre and its US and Canadian counterparts were “95%-plus satisfied” that Russian state-sponsored hackers had targeted Western pharma firms and research groups that are working on the development of a coronavirus vaccine.
Brokenshire provided no specifics about which organisations had been affected, nor whether the hacks had succeeded.
However, he stressed: “It’s just completely unacceptable when we have organisations that are working so incredibly hard in our COVID response in trying to find a vaccine that agents linked to the Russian state should have taken this action to try and steal intellectual property.”
It would be surprising if similar thoughts hadn’t occurred to Brokenshire. In his Today interview, he confirmed that the government has advised UK vaccine developers to install two-factor authentication across their computer systems.
“By raising awareness,” he said, “it is about putting people on notice to be on their guard – to have the highest level of protection that they can.”
Some fitting comments have emerged from James Carder: CISO and vice president at global cybersecurity firm LogRhythm. His thoughts should give any corporate pause to consider whether its IT systems are robust enough, in an age when companies’ online arms are increasingly business critical and social engineering has become such a scourge.
Examining the Twitter hack, he noted: “Given the high profile of both the platform and its verified users, this demonstrates just how effective social engineering attacks can be, and how they can rapidly lead to a massive-scale hack of extremely wide impact.
“Specifically, this attack was used to perpetrate a financial scam and, fortunately, the attackers made a number of errors, which enabled Twitter to identify it relatively quickly. Had the hackers had a company stock price in their sights… or an ill political motivation, or communicated a bogus safety message from Twitter’s Support page, the impact could have been much more damaging.”
He pointed out: “In the aftermath of this hack, Twitter should examine the case for zero trust – particularly utilising multifactor authentication, coupled with behavioural indicators, to validate all usage of highly sensitive functionality.
“This will ensure additional out-of-band verification is prompted when particular functionality is used – which can thwart an attacker before compromise occurs.”
Carder added: “Constant vigilance, and specific attention to the functionality included in a platform – and how that functionality is accessed and delivered – must be a top priority moving forth for Twitter.”
Turning to the hacks on COVID-19 vaccine developers, he explained: “Organisations must make certain that they have the proper policies and strategies in place to identify and respond to the increase in cyberthreats that we have seen throughout the pandemic.
“It’s become a cliché, but nonetheless true, that people, process and technology are needed in order to protect against determined attackers. A busy researcher focused on COVID-19 research is unlikely to have cybersecurity at top of mind.”
As such, he said: “Basic education on handling email, and training on red flags to look out for – such as an email having unnecessarily urgent language, or news that’s a bit too good to be true – can help users who are perhaps not fully attentive to phishing emails.
“Implementing automatic phishing intelligence software to detect and report phishing attacks can also empower companies to better deflect [them].”
Carder also recommended endpoint protection, network control solutions and general security awareness programmes as effective ways to help safeguard a company’s data.
Matt Packer is a freelance business, finance and leadership journalist