Twitter says ‘phone spear phishing attack’ used to gain network access in crypto scam breach

Twitter has revealed a little bit more information about the security breach it suffered earlier this month when a number of high profile accounts were hacked to spread a cryptocurrency scam– writing in a blog post that a “phone spear phishing attack” was used to target a little number of its staff members.

Were sharing an update based upon what we understand today. Well supply a more in-depth report on what happened at a later date offered the ongoing police investigation and after weve completed work to additional secure our service. https://t.co/8mN4NYWZ3O

Once the enemies had actually successfully gotten network qualifications through this social engineering method they remained in a position to collect enough details about its internal systems and processes to target other workers who had access to account assistance tools which allowed them to take control of confirmed accounts, per Twitters upgrade on the event.

— Twitter Support (@TwitterSupport) July 31, 2020

Last week Reuters reported that more than 1,000 people at Twitter had access, including a number of specialists. 2 former Twitter employees told the news agency such a broad level of access made it difficult for the company to safeguard versus this type of attack. Twitters post likewise provides really limited information about the particular strategy the attackers used to effectively social engineer some of its workers and then be in a position to target an unknown number of other staff who had access to the secret tools. One possibility, for instance, is that targeted workers got a message on their phones which appeared to be from Twitters support team, and asked them to call a number. Or perhaps they broke into Twitters internal phone system and were able to make it look like an internal assistance call.

” An effective attack required the assailants to acquire access to both our internal network as well as particular staff member qualifications that granted them access to our internal support tools. Not all of the workers that were initially targeted had approvals to utilize account management tools, however the assailants used their qualifications to access our internal systems and acquire info about our processes. This understanding then allowed them to target additional staff members who did have access to our account support tools,” it composes.

Recently Reuters reported that more than 1,000 individuals at Twitter had gain access to, consisting of a number of specialists. Two previous Twitter employees informed the news agency such a broad level of access made it challenging for the business to resist this kind of attack. Twitter declined to comment on the report.

Twitters post also offers extremely limited information about the particular technique the opponents used to successfully social engineer a few of its workers and then be in a position to target an unknown number of other staff who had access to the secret tools. It says the examination into the attack is ongoing, which may be a factor in how much detail it feels able to share. (The blog site notes it will continue to provide “updates” as the procedure continues.).

” Equally the discussion could be initiated by a scammer calling the employee, possibly utilizing a VOIP phone service and using caller ID spoofing to pretend to be sounding from a legitimate number. Or possibly they got into Twitters internal phone system and had the ability to make it look like an internal assistance call. We require more information!”.

It also declares access to account management tools is “strictly minimal”, and “just granted for valid organization factors”. Later in the blog site post Twitter notes it has “significantly” limited access to the tools because the attack, providing credence to the criticism that far too numerous people at Twitter were provided gain access to prior to the breach..

” Without more detail from Twitter its difficult to offer definitive advice, however if something like that occurred then telling employees the real support number to call if they ever require to– instead of counting on a message they get on the phone– can decrease the probability of people being duped,” Cluley included.

Its update now acknowledges “concern” around levels of worker access to its tools but uses little additional detail– stating just that it has groups “around the globe” assisting with account support.

One security analyst we contacted recommended a variety of possibilities.

On the concern of what is phone spear phishing in this specific case its unclear what specific strategy was successfully able to penetrate Twitters defences. Spear phishing normally describes an individually customized social engineering attack, with the added element here of phones being included in the targeting.

” This attack relied on a collective and substantial effort to deceive particular workers and make use of human vulnerabilities to get to our internal systems,” Twitter adds, calling the occurrence “a striking reminder of how important each person on our group is in securing our service”.

It now states the opponents used the taken qualifications to target 130 Twitter accounts– going on to tweet from 45; gain access to the DM inbox of 36; and download the Twitter data of 7 (formerly it reported 8, so perhaps one tried download did not total). All impacted account holders have been contacted straight by Twitter at this moment, per its blog post.

” Twitters latest upgrade on the incident remains frustratingly nontransparent on details,” said UK-based Graham Cluley. ” Phone spear phishing could suggest a variety of things. One possibility, for example, is that targeted staff members got a message on their phones which seemed from Twitters support team, and asked to call a number. Calling the number may have taken them to a convincing (however fake) helpdesk operator who may be able to fool users out of credentials. The staff member, believing theyre speaking with a legitimate support individual, may reveal far more on the phone than they would via email or a phishing site.”.

Especially, the business has still not divulged the number of staff members or contractors had access to its account assistance tools. The greater that number, the bigger the attack vector which might be targeted by the hackers.