The Attack That Broke Twitter Is Hitting Dozens of Companies (wired.com) 32
An anonymous reader quotes a report from Wired: Phone spear phishing" attacks have been on the rise since a bitcoin scam took over the social media platform in July. When law enforcement arrested three alleged young hackers in the US and the UK last month, the story of the worst-known hack of Twitter's systems seemed to have drawn to a tidy close. But in fact, the technique that allowed hackers to take control of the accounts of Joe Biden, Jeff Bezos, Elon Musk, and dozens of others is still in use against a broad array of victims, in a series of attacks that began well before Twitter's blowup, and in recent weeks has escalated into a full-blown crime wave.
But Twitter is hardly the only recent target of "phone spear phishing," also sometimes known as "vishing," for "voice phishing," a form of social engineering. In just the past month since the Twitter hack unfolded, dozens of companies -- including banks, cryptocurrency exchanges, and web hosting firms -- have been targeted with the same hacking playbook, according to three investigators in a cybersecurity industry group that's been working with victims and law enforcement to track the attacks. As in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools. Then the attackers have sold that access to others who have typically used it to target high-net-worth users of the company's services -- most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services. "Simultaneous with the Twitter hack and in the days that followed, we saw this big increase in this type of phishing, fanning out and targeting a bunch of different industries," says Allison Nixon, who serves as chief research officer at cybersecurity firm Unit 221b and assisted the FBI in its investigation into the Twitter hack. "I've seen some unsettling stuff in the past couple of weeks, companies getting broken into that you wouldn't think are soft targets. And it's happening repeatedly, like the companies can't keep them out."
While the perpetrators don't appear to be state-sponsored hackers or foreign cybercrime organizations, it may be only a matter of time until they're adopted by these foreign groups who contract out the phone calls to English-speaking phone phishers.
But Twitter is hardly the only recent target of "phone spear phishing," also sometimes known as "vishing," for "voice phishing," a form of social engineering. In just the past month since the Twitter hack unfolded, dozens of companies -- including banks, cryptocurrency exchanges, and web hosting firms -- have been targeted with the same hacking playbook, according to three investigators in a cybersecurity industry group that's been working with victims and law enforcement to track the attacks. As in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools. Then the attackers have sold that access to others who have typically used it to target high-net-worth users of the company's services -- most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services. "Simultaneous with the Twitter hack and in the days that followed, we saw this big increase in this type of phishing, fanning out and targeting a bunch of different industries," says Allison Nixon, who serves as chief research officer at cybersecurity firm Unit 221b and assisted the FBI in its investigation into the Twitter hack. "I've seen some unsettling stuff in the past couple of weeks, companies getting broken into that you wouldn't think are soft targets. And it's happening repeatedly, like the companies can't keep them out."
While the perpetrators don't appear to be state-sponsored hackers or foreign cybercrime organizations, it may be only a matter of time until they're adopted by these foreign groups who contract out the phone calls to English-speaking phone phishers.
Maybe do not use "cheaper than possible" security? (Score:2)
That includes cheaper than possible insight-challenged personnel and internal procedures and processes that are so impossible to work with that everybody works around them. Doing security cheaply and incompetently sooner or later backfires. It may take a while though.
Re: (Score:2)
It doesn't matter if you use cheap or expensive security, it's only as good as the people who use it.
For example, I was recently contacted by someone using an external account asking for access to my laptop over webex. They weren't in the corporate address book, so they didn't get access to my laptop until one of our senior managers in the IT department confirmed that this person was a contractor working for them. It probably wasted half an hour of everyone's time but that's the rubbish we have to go throu
Re: (Score:2)
It doesn't matter if you use cheap or expensive security, it's only as good as the people who use it.
It matters very much. Bad security makes it too easy to shoot yourself in the foot, either by making it actually easy or my making getting work done so hard everybody works around the security measures.
Sure, users are a problem as well. Most cannot understand abstract threats at all. But, quite frankly, why give these people access to confidential data in the first place? If they cannot use IT equipment competently, then they should not have access to IT equipment. This is just a risk management fail on the
Security keys FTW (Score:2)
This is why corporations should all implement security keys for 2FA, because they're unphishable. By security key I mean the little dongles like this one from Yubikey [yubico.com] or one of these from Google [google.com]. They contain a secure microprocessor that delivers a challenge-based cryptographic authentication via USB or bluetooth to the machine that is attempting to log in. An attacker can social engineer employee passwords, but they then have to physically steal the user's security key as well. Or they have to find a way
Always a way around, for support (Score:1)
This is why corporations should all implement security keys for 2FA, because they're unphishable.
They aren't though because you always have to provide some means to bypass them for support purposes. You cannot make something that a lot of people will lose access to, the only passable way to unlock or enter an account. It just doesn't work from a customer service perspective.
Re: (Score:3)
This is why corporations should all implement security keys for 2FA, because they're unphishable.
They aren't though because you always have to provide some means to bypass them for support purposes. You cannot make something that a lot of people will lose access to, the only passable way to unlock or enter an account. It just doesn't work from a customer service perspective.
For customers, sure, you probably need to give them a choice because most won't be smart enough to keep a backup key in a safe deposit box or somewhere else safe in case they lose the other one. For your employees and contractors (especially the fucking contractors), no. For them you can have a more stringent verification process when a key is lost or stolen. If it's lost, you go to whomever in the office issues them and get it replaced and your old one revoked, or they FedEx it to your home address (which
Sure, but not for Twitter (Score:1)
I agree about enterprise requirements but since we are talking specifically about Twitter, that's why I was saying it's not really feasible...
You could even think about maybe reuqring this for blue-checks but consider the kind of people who are blue-checks on Twitter. No way can even a majority of them handle stringent TFA requirements and they would leave the platform if so required. Twitter lives by the Blue-Checks...
Re: (Score:3)
I agree about enterprise requirements but since we are talking specifically about Twitter, that's why I was saying it's not really feasible...
You could even think about maybe reuqring this for blue-checks but consider the kind of people who are blue-checks on Twitter. No way can even a majority of them handle stringent TFA requirements and they would leave the platform if so required. Twitter lives by the Blue-Checks...
We are talking specifically about Twitter employees. The account takeovers were done using Twitter's admin tools.
The hackers, Twitter wrote in a postmortem blog post about the incident, had called up Twitter staffers and, using false identities, tricked them into giving up credentials that gave the attackers access to an internal company tool that let them reset the passwords and two-factor authentication setups of targeted user accounts.
Re: (Score:1)
We are talking specifically about Twitter employees. The account takeovers were done using Twitter's admin tools.
Ok, I see what you mean here. True that would have protected more against this particular attack, but doesn't prevent takeovers of Twitter accounts that have happened off and on.
Re: (Score:2)
Re: (Score:2)
If someone takes over a twitter account, that's the twit's fault. If someone takes over Twitter's admin tools, they can take over *all* the Twitter accounts, and that's most definitely Twitter's problem.
Re: (Score:2)
This is why corporations should all implement security keys for 2FA, because they're unphishable.
They aren't though because you always have to provide some means to bypass them for support purposes. You cannot make something that a lot of people will lose access to, the only passable way to unlock or enter an account. It just doesn't work from a customer service perspective.
Sure, support can verify the employee's identity (usually in-person, but a three-way video-conference with the employee, their manager and IT support works pretty well), then provide an alternate login mechanism. But that's an entirely different attack model, where you're trying to fool IT support staff that you are the employee, rather than fool the employee that you are IT support staff. The former is easy to make extremely difficult, the latter... not so much.
Re: (Score:2)
Gee, what did people do before we had passwords? Oh, right, a master, or a second set of keys.
The problem with hardware keys is people lose them, not that you can't have a second key for (legit) IT to use.
On the other hand, if your employees are giving out passwords over the phone either a) they're dumb, b) they're incredibly poorly trained, or c) your procedures suck and actually require them to do that sometimes.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
How do you do remote logins to systems where your hardware key can't be mapped to the remote system? Maybe this works with vendor-proprietary remote access software (like MS RDP, Citrix, etc) or browser plug-ins, but now it starts to seem kind of vulnerable to attack at some level.
Are we back to just typing in the numbers that appear on an RSA keyfob, which presumably can be phished via phone call?
Re: (Score:3)
Re: (Score:1)
Screw 2FA. It's nothing but harassment. I'll give you an example. We have hundreds of Adobe accounts. Some get prompted to input a code when activating their product, some don't. Some who have already activated their account get prompted while others don't. Some people, signing in for the very first time, get prompted for a code while others don't. There is no rhyme or reason why some get prompted and some don't, or why it rotates aroun
Re: (Score:2)
Screw 2FA
Your post is more of a "screw Adobe" story...
Half a century (Score:2)
As in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools.
These types of attacks have been around for half a century, this is nothing new - it is amazing that these supposedly brilliant young tech workers are falling for the same social engineering hacks their grandparents did back in the seventies!
FFS "Big Tech" - simply tell every employee that "IT" will not call them asking for their user-ID or password!
Re: (Score:2)
I would sooner say these kinds of attacks have existed as long as the concept of a password has.
Re: (Score:2)
These types of attacks have been around for half a century, this is nothing new - it is amazing that these supposedly brilliant young tech workers are falling for the same social engineering hacks their grandparents did back in the seventies!
Completely agree, this is _exactly_ how our local hackers operated in the eighties. Only differences are that they had to get the line number to the modem bank first, and that they could easily claim to have left their (paper) agenda with all the numbers at home.
Social engineering > Security
Used to snag passwords off a 370 mainframe ... (Score:2)
Remember Kevin Mitnick? (Score:1)
Re: (Score:3)
Kevin MItnick's training is spot-on, and for many of us it is so obvious as to be insulting.
Most people have a basic level of trust for others, they tend to do what they are told (this is WHAT makes them good employees, after all), and they don't think about anything any harder than they have to. So when someone calls them up on their work phone claiming to be IT, and sounding like they know what they are talking about, people just answer the questions. After all, that is the polite and helpful thing to d
Worth thinking about (Score:2)
Three possibilities. One, they got the wrong guy for the Twitter based bitcoin scam. Two, he was working with a group of people and they were more organized than it appeared. Three, he's a trend setter and some criminal organization put together a coordinated effort in a hurry.