23 Jul 2020
The human factor
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. … We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
This is what Twitter discovered about the incident that compromised the accounts of some VIPs (like Bill Gates, Elon Musk, Apple, Obama).
Hackers, ones gained access to twitter internal systems, posted messages inviting people to send bitcoins with the promise of an instant gain.
This is the post on Bill Gates account:
“Everyone is asking me to give back, and now is the time, You send $1,000, I send you back $2,000"
And this the one on Apple account:
“We are giving back to our community.
We support bitcoin and we believe you should too!
All bitcoin sent to our address below will be sent back to you doubled"
The fraud led the equivalent of 120.000$ in bitcoin in the pockets of the attackers.
A nice amount but we have seen worst..
The interesting side of the story is how they obtained access to the systems.
Cyber criminals did not exploited known vulnerabilities or used any specific exploit kit.
They "simply" contacted some people inside Twitter. Then, cyber criminals gained employees trusts and convinced them to share access to internal Twitter systems.
This is a classic example of social engineering, an attack where the hacker exploit the inborn trust of human being.
A social engineering attack can be executed through telephone or email (in this case it is also called phishing or spare phishing if it is targeted on a specific individual or company) or event during an in person meeting.
But this is not the end of the story. The same technique was used to convince people to give them moneys.
Twitter user assumed the information was legit only because the source was presumably trusted. A simple check on another social media (i.e. another communication channel) could have prevent the scam.
In this specific case the scam targeted individuals but the same fraud could be directed toward companies. Imagine what could happen if a cyber criminal impersonate a supplier and the same guy who transferred bitcoins to the cyber criminal would be in charge of wire transfer…
What happened should make companies reflect. If you meet someone who promise to double your money or ask you the key of your house what do you do? Almost certainly you don't believe him and you will stay away from him.
In the digital world, instead, we jump right into it.
This is because we focus on security measures based on technology like endpoint security software, EDR, advanced threat protection, UTM appliances (all good thing of course) forgetting the most basic concept: the human factor
Of course, the best strategy in the mid and long term is to train user in order to make them aware of the threats and simulate threat to see how users react to a potential threat and adjust the training.
Meanwhile the following simple tips may help reducing the risk:
- Always double check the information using different communication media
- Define strong approval procedure for high risk activities like wire transfer
☝🏻Almost 20% of successful attacks are based on phishing and social engineering, according to CLUSIT....
☝🏻Secondo il CLUSIT nel 2019 il 20% degli attacchi effettivamente portati a termine è basato su tecniche di p...