On July 15th, confusion stirred on the popular social media platform Twitter, as large companies such as Apple, Uber, and many big-name CEOs such as Elon Musk, Jeff Bezos, and Bill Gates posted “giving away free bitcoins”. Even though cryptocurrency scams targeting the microblogging giant are not new, and usually performed by hijacking verified accounts and changing the username to someone “trusted” (the scammers’ usual MO), this attack is unique.

Twitter employees targeted

The announcement came from Twitter through a series of tweets, claiming the attack originated from coordinated social engineering attacks targeting employees.

Once the cybercriminals managed to take control of several management dashboards, they were able to scam high profile Twitter accounts. According to Twitter, these accounts were victim to attack for about 30 minutes before the situation was addressed.

The Scam

Victims received a request to send a specified BTC amount to a certain crypto wallet, dictating the “trusted” person or company would then return double the amount of BTC. Several tweets, such as the below, only contained a crypto wallet address without links or URLs. Investigators claim it is almost impossible to determine who is behind this cryptocoin account. 

Other tweets posted on cryptocoin exchange company accounts contained a URL referring to cryptoforhealth[.]com. The website was taken down by NameSilo, the registrar company from which the domain name is taken. 

The screenshot taken by the Wayback Machine at 7:23 pm shows the content of the website at the time. The same BTC account appears, indicating this activity is likely part of the same attack.

Records show the scammers collected 12.87 BTC (worth to almost $117,000).

How scammers obtained access

Twitter’s announcement does not provide much information about the details of the attack, other than it is a result of social engineering attacks targeting their employees. Cybersecurity researchers started to share screenshots of the admin panel that attackers allegedly used to perform their scams. 

Researchers speculate the remote working environment might have helped attackers gain access to the Twitter employees. Once they hijacked the employees’ system at his/her home, they were able to reach the Twitter systems likely through VPN connections using employee credentials.

Takeaways 

Although many details have not yet been revealed, many important takeaways are already prevalent based on the flood of information on the internet.

All management panels should have 2FA

If a panel, interface, dashboard, or service gives admin operations to a user, two-factor authentication is a must.

Take precautions against social engineering attacks

Social engineering attacks are quite difficult to prevent, especially if they are targeted attacks. The cybersecurity awareness of employees should be as high as possible. Keep awareness training frequently.

Remote access rights of authorized personnel should be different than regular employees

With the Covid-19 outbreak, many companies still encourage remote working policies. Some employees’ privileges are riskier than others. For those employees, remote access rights should be more strict and there should be more authentication processes.

Segmentation is a must

Employees should not be able to reach important systems. Try to segment the system as much as possible and disseminate the privileges. Zero-trust policy is difficult to perform, but it can save the company from cyber attacks.

Perform frequent penetration and red-team testing

Assume Breach policies are important. Even though large companies invest large amounts on cybersecurity, it should be tested through penetration tests and red-teaming tests. The test environment can be extended to homes if remote working is largely applied.

Consider social media platforms as third parties

Social media platforms are mediums for digital marketing and increase communication with customers. Hence, they become a critical vendor for companies and organizations and should be continuously monitored as part of a third-party risk management program.

Featured image by Kon Karampelas on Unsplash