On Wednesday, July 15 , Twitter fell victim to a social engineering cyberattack. The goal : to scam internet users out of their cryptocurrencies.
Hackers took control of more than 130 accounts (source: Les Echos). They impersonated famous personalities and trusted companies: Barack Obama, Elon Musk, Jeff Bezos, Joe Biden, Bill Gates, Kanye West, as well as Bitcoin, Apple, Uber, Binance, and many others.
Twitter: Scammed with Bitcoin
The hackers sent a tweet to each of the online communities. They guaranteed them an irresistible offer: invest $1,000 within 30 minutes to get double your money back, i.e., $2,000.
More than an hour after the attack, many internet users were unable to tweet. This decision was one of the first security measures taken by Twitter after the cyberattack alert. It also made it impossible to reset passwords.
According to Blockchain.com, the fraudsters nevertheless managed to steal nearly 12.58 Bitcoins (approximately $116,000 or €101,000). The fraudsters' (unique) transaction address also recorded more than 350 money transfers.
Twitter phone phishing and social engineering cyberattack
Twitter confirmed that this was indeed a "coordinated social engineering attack." The attack "successfully targeted some of our employees who have access to our internal tools." (source: Le Monde).
Twitter employees, tricked by hackers via a telephone phishing attack, reportedly gave them access to an internal Twitter tool. This tool, a control panel, provides access to Twitter account management. This is how hackers took control of several email addresses in order to impersonate influential individuals and companies.
Human vulnerability will always be a weak point in any risk mitigation strategy. Establishing a culture of safety awareness in the workplace can help reduce these risks.
This cyberattack discredits Twitter
This isn't the first time Twitter has had to deal with a security issue. Each time, its image is tarnished. This time even more so because, according to Bloomberg, employees of a subcontractor were using Twitter's internal tools to spy on the accounts of certain international celebrities. Information gathering, location data collection, etc.: these are all malicious cyber acts that damage the image of the blue bird! Practices that were known internally but never stopped! (source: La Nouvelle Tribune).
What is a social engineering cyberattack?
Social engineering is a psychological manipulation technique used by hackers to obtain information (data, passwords, usernames, etc.). This practice relies on abuse of trust and exploitation of human weaknesses. To obtain information about their target, hackers will not hesitate to investigate via email, social media, phone calls, and even during a "casual encounter and conversation" on the street.
Generally, victims are unaware that they are being deceived because hackers play on their emotions and/or interests to scam them. Fear, stress, enthusiasm, etc.: it is easier to exploit human weaknesses than to try to hack into organizations' technical vulnerabilities.
This is the type of cyberattack that affected Snapchat in 2016. A hacker stole the identity of the HR manager and sent a phishing email to an employee. The employee, who was tricked, sent the hacker a file containing the company's payroll information.
It is therefore important to remain vigilant about what is published on the web and to know what steps to take to avoid social engineering attacks.
