Access Management , Account Takeover Fraud , Cybercrime

Twitter Hijackers Used Well-Honed Fraudster Playbook

Customer Service Representatives Have Long Been Targeted for Account Takeovers
Twitter Hijackers Used Well-Honed Fraudster Playbook
Photo: Kevin Krejci via Flickr/CC

The hijacking of more than 130 high-profile Twitter accounts last week is extraordinary in at least one respect: that it didn’t happen sooner.

See Also: Beyond MFA: The Trick to Securing Machine Identities

As online companies have improved their security protections to prevent account hijacking, attackers have looked for new ways to overcome those barriers. Many have turned to social engineering to gain an inside path, and Twitter says this is how attackers last week managed to hijack the accounts of multiple business executives, politicians and celebrities, including former Vice President Joe Biden, former President Barack Obama, Tesla CEO Elon Musk and Microsoft founder Bill Gates.

Although its investigation remains ongoing, Twitter says that the attackers “successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.”

By social manipulation, it's unclear if Twitter means that employees were tricked or rather - as some have suggested - if they may have willingly assisted the attackers (see: The Insider Threat: A Growing Concern).

A total of 130 accounts were targeted, Twitter says. Via Twitter's own internal tools, attackers were able to complete a password reset for 45 accounts, log into the accounts and use them to send tweets. Also, for up to eight non-verified accounts, Twitter says the attackers downloaded all of the information associated with the account using the “Your Twitter Data” tool, which would include direct messages and potentially sensitive information.

Many of the seized accounts - including those for Obama, Biden, Musk and Gates - were then used to send tweets asking people to send bitcoin, in what was a very common-looking type of virtual currency scam.

As Twitter moved to lock down the problem, it froze numerous accounts, preventing many users from being able to tweet and/or to reset passwords, generating angry tweets from users in response.

Getting Inside Access

So how do attackers successfully pierce a well-resourced, billion-dollar company such as Twitter? Absent exploiting a software vulnerability, the answer is that they either need to trick an insider or recruit one.

Twitter hasn’t specified if one or both of those specific tactics occurred. But Motherboard has reported that two sources who claim involvement in the attacks say that a Twitter employee was paid to help.

Recruiting an insider is a technique that has been long-used against telecommunication companies to hijack a phone number, also known as SIM swapping or SIM hijacking, says Allison Nixon, chief research officer at Unit 221B, a New York-based cybersecurity consultancy. SIM swapping or hijacking refers to the practice of transferring someone's phone number to another SIM card, often with the intention of capturing two-step verification codes sent by banks or other services, or resetting account passwords.

Allison Nixon

Last year, U.S. federal employees charged two former AT&T contractors and one Verizon employee with helping enable a SIM-swapping scheme aimed at compromising cryptocurrency accounts. The employee and contractors had allegedly been bribed (see: Alleged SIM Swappers Charged Over Cryptocurrency Thefts).

Large online and telecommunication companies often employ scores of employees to help their users resolve problems, such as being locked out of their account, Nixon says, and they’re not well paid.

“There’s a bit of an economic asymmetry here,” Nixon tells Information Security Media Group. “You’ve got people who’ve got access to something with a black-market value that’s way higher than their actual paycheck. So there will always be that tension even if people never break the rules.”

Both insider recruitment and social engineering have been well-practiced by some users on a notorious forum called OGUsers, which is a marketplace and forum for a variety of digital goods. Also, OGUsers has previously been in the spotlight for SIM hijacking and SIM swapping scams. And last week, attention again turned to the forum, as early clues emerged there pointing to how the Twitter account takeovers might have taken place.

OGUsers: Again In Spotlight

OGUsers is hosted on the open web - anyone can register, and the site makes money from selling fraud-related tools and services.

As highlighted by security blogger Brian Krebs, screenshots emerged on OGUsers around the time of the Twitter account hijacking showing the tool that Twitter's customer service representatives use to change email addresses and reset accounts. Many screenshots were also posted to Twitter; most have been deleted.

A security expert who goes by the handle @Lucky225 recounted in a blog post how a separate account that he controlled - @6 - was taken over in the attacks. The @6 Twitter account formerly belonged to Adrian Lamo, who's known for having helped to report Chelsea Manning, the former U.S. Army analyst who leaked military documents to Wikileaks, to federal authorities. Lamo died in March 2018, and @Lucky225 writes that Lamo’s father, Mario, has since allowed him to control most of Lamo’s online accounts.

At some point - perhaps on Thursday - the @6 account was seized by someone else. @Lucky225 writes that it appears the internal Twitter tools allow an employee to change the email addresses connected with an account and then turn off two-step verification. The alert that the email address associated with an account has been changed goes to the new email address, which unfortunately means that a victim may remain unaware.

But if a phone number is associated with the account, an alert also gets sent over SMS to the number, which is how @Lucky225 discovered that Lamo’s account had been hijacked. @Lucky225 says the @6 account was never used for the cryptocurrency tweet that appeared across the high-profile accounts. He believes there could be a group of people involved in the attack, possibly with differing intentions.

The OGUsers forum has been known as a marketplace for buying and selling stolen usernames. Short for "original gangster," OG names are desirable because they’re short. Nixon says one-letter usernames are “the holy grail of the OG community.”

A recent advertisement on OGUser selling a hijacked Twitter account

That’s in part what directed attention to OGUsers over the Twitter hack. @Lucky225 began tweeting about the @6 takeover, which preceded the flurry of cryptocurrency tweets from the high-profile accounts on Thursday, Nixon says.

“There are certain communities that care about this kind of thing [OG names], and it’s not very many communities,” she says.

Insider Recruitment: Growing Threat

The broader lesson for companies is that insider recruitment is an increasing threat. Professional gangs are starting to catch onto the techniques, which can include bribery and blackmail, Nixon says.

Twitter’s travails point to the need for technology companies to take more steps to ensure employee administrator accounts are more secure, and also that they continue to train service reps to help detect and repel attempted recruitment by fraudsters, Nixon says.

Usually, successful recruitment will have been preceded by mass-messaging attempts, she says, so sharing information about such attempts remains critical to defending against them.

“We’re going to see it grow and grow unless companies start to lock down insider recruitment,” Nixon says. “It’s just going to get worse and worse.”

Executive Editor Mathew Schwartz contributed to this story.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.