Social media often gets crazy, but not often as crazy as this.
Many prominent, verified Twitter accounts have been tweeting out cryptocoin scams, with fake tweets reported from an eclectic range of high-profile people and companies, apparently including Joe Biden, Elon Musk, Barack Obama, Bill Gates, Apple and many others.
The scam tweets reportedly included catchy – if highly unlikely – messages such as “Feeling greatful [note spelling blunder], doubling all payments made to my Bitcoin address,” urging people to pay out $1000 and get $2000 back.
Of course, it’s all a pack of lies – after all, if someone already had $1000 to gift you, why wouldn’t they just send it to you, instead of making you pay in $1000 first and then giving you your money back plus another $1000?
Nevertheless, these tweets really did come from verified accounts, so you can see why people might fall for this – it’s not like receiving an email that is signed off “Elon Musk” if the tweet genuinely seems to have come from his account.
Twitter has taken the unusual but understandable step of closing down parts of its service while it investigates, and its own support account has just tweeted to say that the company is “continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this:
We’re continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this. Thanks for your patience.
— Support (@Support) July 15, 2020
Until we know exactly how these scam tweets were sent, it’s difficult to suggest what actions you might take, particularly given that access to services such as password changes (and presumably also changing details such as two-factor authentication numbers) is being restricted.
However, these scammers will only succeed if people fall for their unlikely messages – which rely on people suspending their disbelief simply because the tweet comes from a celebrity or someone they are inclined to trust.
What you need to know
So you can nevertheless protect yourself by following these three simple steps:
- If a message sounds too good to be true, it IS too good to be true. If Musk, Gates, Apple, Biden or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn’t demand that you hand them money first. That’s not a gift, it’s a trick, and it’s an obvious sign that the person’s account has been hacked. If in doubt, leave it out!
- Cryptocurrency transactions don’t have the legal protections that you get with banks or payment card companies. There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone cryptocoins is like handing over banknotes in an envelope – if they go to a crook, you will never see them again. If in doubt, don’t send it out!
- Look out for any and all signs that a message might not be real. Crooks don’t have to make spelling mistakes or get important details wrong, but often they do, like the word “greatful” in the example above. So if the crooks do make a blunder, such as writing 50$ when in your country the currency sign comes first, making a mess of their own phone number, or using clumsy or unnatural language, don’t let them get away with it. Treat it with doubt unless everything checks out!
Karel P Kerezman
At this point it looks like an admin’s account was compromised (or that an admin was paid off, though one wonders what amount of money would’ve been involved to make someone take actions that would directly get them fired, at the very least… consider the blipcoin haul wasn’t THAT large).
Paul Ducklin
Right now [2020-07-16T16:40Z], it seems to me that this wasn’t a matter of one employee who got bribed and did the work on behalf of the crooks, but a case of some employees getting tricked/sweet-talked/cajoled into going through account recovery or settings modifications for a chosen range of accounts.
Twitter has officially said ” We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.” Sounds as though the crooks were able to bluff their way into getting a password change and then to do the actual sending-of-rogue-tweets dirty work themselves. Also sounds as though the crooks were able to keep on trying until they succeeded, thus not hitting up against the same support person every time.
Ian
That’s almost more disturbing considering the amount of high profile accounts that were compromised. How many attackers would that take? And how poor is Twitter’s authentication system? Also if that were all there were to it then why did Twitter need to disable tweeting for all verified accounts? They could have just disabled it for ones that had been modified recently or had an email address/password change. Blaming this on social engineering doesn’t add up for me.
Paul Ducklin
I guess Twitter couldn’t immediately tell which accounts showed signs of having been socially engineered – after all, if the logfile data shows simply that “password reset was requested for this account”, then a manual or at best semi-automatic process would be needed to try to weed out which ones were reset by gift-of-the-gab methods involving fruad and which ones were reset by the real user. The absolute size of the hack seems to be small – 130 accounts selected for “attention” by the crooks, 45 successfully taken over, of which (if I am reading correctly) 37 were verified accounts immediately used for scamming, and 8 were unverified accounts that had their data downloaded. Twitter understandably isn’t identifying those 8 users. Conspiracy theories are saying “they must be activists”, but the smart money seems to be on those 8 accounts being super-short, early usernames (so-called OGs, for original gangstas). Those are worth money for resale on the dark web.
Ian
I would hope they could filter accounts based on which were reset by their staff/admin tool vs reset by users using the app/website but maybe not.
When you say the scope was small, I would agree compared to other breaches, but IF this was entirely social engineering then I think the pace/scope seem to indicate a decent number of coordinated attackers.
I wonder approximately how long it takes to social engineer your way into an account, change the settings, exfil the DMs, and post scam links? I would think at least 10-15 minutes per success and probably at least 5-10 minutes per failure (maybe more depending on the value of the account). To do all that over a couple of hours is pretty impressive.
Paul Ducklin
For all we know, the crooks may have been able to get dual control over a few Twitter staffers’ PCs (like those rogue tech support callers do over their victims’ computers), allowing the crooks to “drive” the GUI and then talking the hapless victims into doing whatever 2FA-type approval was needed to finalise some of the account takeovers. Who knows, maybe the crooks convinced the staffers they were supervisors, or that they were part of the “VIP accounts” team carrying out a series of account recoveries for mainstream account holders who had just been hit by cryptocurrency scammers trying to take over their accounts :-)
In that sort of scenario you can imagine crooks targeting, say, 100 potential support staff with calls and emails; figuring out, say, 10 or 20 likely victims to concentrate on; pulling the “can you help us get these important accounts up and running again, @Jack will love you for it!” maneouvre on 7 or 8 of them; and succeeding in taking over 10 or 12 different accounts each with 3 or 4 of them. Maybe each crook had a list of similarly-flavoured accounts, so a couple of crooks went after just cryptocoin companies; another couple after rappers; and a couple more after politicians and business celebs? You can imagine how a well-intentioned Twitter staffer who was drawn to believing they were helping a senior manager cut through a big security problem – “bad people are after the accounts of prominent political figures right now, we need to get those accounts back from the crooks, can you guide me through the process?”
I assume we’ll find out the sort of treachery that the crooks used eventually, and I’m sure we’ll all say, “Oooh, I’d never fall for that, I am far well informed,” but I also think that a lot of us might be quietly thinking “there but for the grace of God go I.”
Ian
That is certainly plausible and would cut down on the time. I sure hope we do find out at least roughly how they accomplished it at some point. Either way it’s a much more interesting breach than the typical “reused password leads to account takeover” story. Thanks!
MR TOM CHRISTOPHER
Ah, so they via script probably, got the passwords, then turned off 2FA as needed if it was turned on. Doesn’t mean an inside job neccessarily.
Jameson
Can you please edit the second to last bullet. It looks like it was edited and a word was removed/changed. The word “to” in the following line needs removed.
“
Sending someone cryptocoins is like handing over banknotes to in an envelope
“
Paul Ducklin
Fixed, thanks!
IIRC I moved the words “to a crook” further along in the sentence but left a “to” behind…
Gary
Sending money to someone to get more money back reminds me of the old Abbot and Costello routine: “Have you got two 10’s for a 5?”
Paul Ducklin
Hahahahaha. “Just a minute! $15 went South…”
Steve
Minor suggestion: IMO you should drop the italics for the parenthetical editorial note about the spelling blunder in the example tweet, as that was not a part of the cited text. Good article otherwise; it will be interesting to see any future developments as it is more thoroughly investigated. Please keep us updated!
Paul Ducklin
I did originally try putting that text in non-italics (because the regular text is already italic, and italic-italic is supposed to ‘cancel out’ typographically, if I remember my editing rules correctly) but it looked weird…
…but I will change it back considering that you have asked so nicely :-)