The unprecedented hacking of Twitter celebrity accounts this month was caused by human error and a phishing attack on Twitter employees, the company confirmed.
Spear-phishing is a targeted attack designed to trick people into giving out information such as passwords.
Twitter said its employees were targeted through their phones.
The successful attempt allowed attackers to tweet from celebrities̵7; accounts and gain access to their private direct messages.
The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and real estate star Kim Kardashian West have been compromised and shared a bitcoin scam.
He allegedly networked fraudsters by more than $ 100,000 (GBP 80,000).
The attack raised concerns about the level of access that Twitter employees and consequently hackers have to user accounts.
Twitter acknowledged the concern in a statement, saying it was “looking closely” at how it could improve its permissions and processes.
“Access to these tools is strictly limited and is only granted for valid business reasons,” the company said.
Not all employees targeted by the phishing attack had access to internal tools, Twitter said. However, they had access to the internal network and other systems.
Once the attackers gained user credentials that allowed them to penetrate Twitter, the next phase of their attack was much easier.
They focused on other employees who had access to account checks.
By Joe Tidy, Cybersecurity Rapporteur
Twitter does not clarify whether their employees were cheated by email or phone. In the information security community, it is agreed that it was a second community.
Telephone phishing copies, commonly known as vishing, are bread and butter for hackers suspected of this attack.
The criminals obtained the phone numbers of a handful of Twitter employees and, with the help of friendly convictions and fraud, forced them to submit usernames and passwords, which provided them with initial support in the internal system.
- Twitter hack: What went wrong and why it’s important
- The FBI is investigating a major Twitter hack
As Twitter says, fraudsters “abuse human vulnerabilities.” Can you imagine how it went:
A Hacker to Twitter employee: “Hi, I’m new to the industry and I’m locked out of the internal Twitter portal, can you do me a big favor and sign up again?”
The fact that Twitter workers have been vulnerable to these basic attacks is embarrassing to a company that is at the forefront of digital technology and Internet culture.
Twitter said the initial phishing attempt was made on July 15 – the accounts were compromised on the same day, indicating that the accounts were available within hours.
“This attack relied on a significant and coordinated attempt to deploy certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company said.
“It was an astonishing reminder of how important each person on our team is in protecting our services.”
Twitter did not say whether the attack involved voice calls, despite a previous report from Bloomberg stating that the attackers had been contacted by telephone contact with at least one Twitter employee.
Phishing is most often done via email and text message, prompting recipients to click on links to websites with fake login screens.
Spear-phishing is a version of fraud targeted at one person or a specific company and is usually tailored to be more believable.
One victim whose account was compromised told the BBC that Twitter could have done several things differently.
“They should not give a single employee the option to remove the email address from the file and two-factor verification,” they said.
“I understand why this is necessary – for example, if a sleeping account contains a very old email that is inaccessible and you have lost your phone or something – he should be required to check out two employees.”
They also said that communication from Twitter was weak.
“It took 10 days to restore this account without a real personal response from Twitter. I literally received an automated email from my system when they added my email back to my account to allow me to recover this account. looked like a phishing email. “