Twitter hack: What went wrong and why it matters?

 Cyber risk is rated at #5 in the top 10 risks facing business according to Aon’s 2017 Global Risk Management Survey and has thrown the human factor in cyber risk into sharp focus. Cybercrime is extensive, increasing in frequency, rapidness and taking longer to resolve, and at far greater costs than ever before. Covid-19 posed as a gift to cyber criminals, this pandemic offers cyber attackers’ unique opportunities to leverage existing attack tactics, techniques, and procedures to exploit new opportunities. Due to the massive increase of employees working from home, children using home computers for schooling, as well as the human factor and emotions caused by the ­pandemic are increasing risk levels.

Twitter issued its first full blog post about what happened after the biggest security lapse in the company’s history, one that led to attackers getting hold of some of the highest profile Twitter accounts in the world: including Democratic presidential candidate Joe Biden, President Barack Obama, Apple, Uber, Amazon CEO Jeff Bezos, Tesla CEO Elon Musk, Kanye West, Microsoft co-founder Bill Gates, Kanye West, Michael Bloomberg, and more.

Hackers targeted 130 accounts; successfully triggered a password reset, logged in, and tweeted from 45 of them; and only attempted to download data for that “up to eight” non-verified accounts. We do not know how many accounts they may have scanned for personal information or how many DMs they might have simply accessed or read.

Twitter confirmed that its own internal employee tools were used to facilitate the account takeovers, and suspected that its employees had fallen for a social engineering scam, now, the company is going further to say definitively that the attackers “successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.” Think of this like a web form. Such tools enable the company’s engineers to handle key operations, everything from account suspensions to advertising campaigns.

Using Twitter’s internal systems, the cyber-criminals’ messages had a reach of at least 350 million people. It made them about $110,000 (£86,800) in the few hours that the scam was active. The security implications of the hack are also wide-reaching, not just for Twitter but for all social networks. Early suggestions are the hackers managed to access administration privileges, which allowed them to bypass the passwords of any account they wanted. Twitter appeared to confirm this in a tweet saying: “We detected what we believe to be a co-ordinated social-engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.

It might imply a targeted phishing operation which is a common tactic employed by cyber-criminals, who find out which individuals have the keys to a system they want to enter and then target them with personal emails that trick them into handing over details or it might mean the perpetrators managed to convince one or several staff members to go rogue, by offering a financial inducement or other means.

Example: James is a hacker (with permission of course) – and according to James, the easiest way to hack into a network is by exploiting the one vulnerability most often left unpatched, human nature.

Why bother fighting through all the security management systems deployed by the company’s  competent IT department, when instead a hacker can get an employee to click on something they shouldn’t and gain full access to the infrastructure, bypassing all the costly and very best security measures? It is much easier than people think.

Part of the problem is in the question. Technical people try to solve people problems with technical solutions. IT departments get into a cat and mouse game with attackers by installing new tools to prevent cyber-attacks, while hackers simply write new exploits and code that circumvent those tools.

A far better approach is education and a reliable Cyber Security company. Cyber awareness training shows employees how they can be exploited and what to do to prevent it, drawing on real case studies.  Effective, ongoing education is key to employees being the greatest asset in the fight against cybercrime.

Nicole Govender
SecroMix Africa
Legal Counsel