“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company said.
To recap:
🔹130 total accounts targeted by attackers
🔹45 accounts had Tweets sent by attackers
🔹36 accounts had the DM inbox accessed
🔹8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified— Twitter Support (@TwitterSupport) July 23, 2020
The embarrassing July 15 attack compromised the accounts of some of its most high-profile users, including Musk and celebrities Kanye West and his wife, Kim Kardashian West, in an apparent attempt to lure their followers into sending money to an anonymous Bitcoin account.
After stealing employee credentials and getting into Twitter’s systems, the scam targeted other employees who had access to account support tools, the company said.
A total of 130 accounts were accessed. The scam managed to tweet from 45 accounts, access the direct message inboxes of 36 and download the Twitter data from seven. Dutch anti-Islam lawmaker Geert Wilders has said his inbox was among those accessed.
Spear-phishing is a more targeted version of phishing, an impersonation scam that uses email or other electronic communications to deceive recipients into handing over sensitive information.
Twitter said it would provide a more detailed report later “given the ongoing law enforcement investigation.”
The company has previously said the incident was a “coordinated social engineering attack” that targeted some of its employees with access to internal systems and tools. It didn’t provide any more information about how the attack was carried out, but the details released so far suggest the hackers started by using the old-fashioned method of talking their way past security.
British cybersecurity analyst Graham Cluley said his guess was that a targeted Twitter employee or contractor received a message by phone asking them to call a number.
“When the worker called the number they might have been taken to a convincing (but fake) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over their credentials,” Cluley wrote on his blog.
It’s also possible the hackers pretended to call from the company’s legitimate help line by spoofing the number, he said.
“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Hillsborough State Attorney Andrew Warren said. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.”
