The account compromise raises questions about Twitter’s controls. Experts weigh in on best practices for mitigating risk from malicious or accidental insider threats.
Most companies are putting a lot of effort into making sure their network perimeters are secure against remote attacks, but they don’t pay the same level of attention to threats that might originate inside their own organizations. The attack earlier this week that resulted in the hijacking of Twitter accounts belonging to high-profile individuals and brands is the perfect example of the impact a malicious or duped insider and poor privileged access monitoring could have on businesses.
[ Learn what makes these 6 social engineering techniques so effective.| Get the latest from CSO by signing up for our newsletters.]
On Wednesday, the Twitter accounts of business leaders, artists, politicians and popular brands posted messages that instructed users to send bitcoins to an address as part of a cryptocurrency scam. Impacted accounts included those of Elon Musk, Bill Gates, Jeff Bezos, Barack Obama, Joe Biden, Kanye West, Kim Kardashian,Mike Bloomberg, Uber, Apple and even Twitter’s own official support account.
Attackers often impersonate celebrities on Twitter to post similar scam messages, but those campaigns are usually done with fake accounts with few followers. In this case, the rogue messages were posted from verified accounts, which have a checkmark next to their name and whose real identity has been verified by Twitter. This gave more credibility to the scam and allowed it to instantly reach hundreds of millions of users. It’s estimated that attackers earned around $120,000 as a result.
Twitter responded by temporarily suspending the ability of all verified accounts to post new messages and immediately launched an investigation. How could attackers gain access to so many accounts at once? It was achieved by compromising one or more Twitter employees who had access to an internal tool that’s used to manage user accounts.
Some screenshots of the tool were posted on Twitter, but the company deleted them citing violations of its terms of service. The tool seems to allow Twitter employees to perform a number of privileged actions such as suspending accounts, blacklisting tweets and even changing the email addresses associated with accounts, a feature the attackers abused to take over the accounts.
Motherboard cited two of the attackers who claimed they bribed a Twitter employee for access to the control panel. Twitter, however, said the compromise was the result of „a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.“
„We believe approximately 130 accounts were targeted by the attackers in some way as part of the incident,“ the company said via its support account. „For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.“
Since few details are available from the official investigation, it’s hard to say what exactly Twitter means by „social engineering.“ The company could be using the term loosely to refer to anything from a phishing attack that resulted in the theft of employee credentials to attackers successfully bribing an employee. Both of these scenarios fall in the insider threat category but are different attack vectors — unwitting insider vs malicious insider — and require somewhat different preventive measures.
The term unwitting insider generally refers to an employee who provides access to an attacker unintentionally due to a lapse in judgement or a lack of training. Examples of this can be an employee opening a door to a restricted area to help someone carrying a large package without actually checking if they have an access card or company ID, plugging an USB stick they found on the floor in the lobby or that was mailed to them into their work computer to check what’s on it, transferring money to a third-party after receiving a spoofed email from their manager without getting confirmation through a phone call, or clicking on a link in an email and inputting their username and password on a phishing site.
