Twitter has offered further explanation of the celebrity account hijack hack that saw 130 users’ timelines polluted with a Bitcoin scam.
“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” says a July 30 update to Twitter’s incident report.
Miscreants launched what the avian network has described as “a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems” to get the job done.
The attack appears to have come in waves.
“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools,” Twitter’s security folk explain. However, “not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.”
“This knowledge then enabled them to target additional employees who did have access to our account support tools.”
And those additional employees also appear to have fallen for spear phishing.
Twitter says it is now “accelerating several of our pre-existing security workstreams and improvements to our tools.”
“We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams," it added. "We will continue to organize ongoing company-wide phishing exercises throughout the year.”
But Twitter has not explained what it means by “phone spear phishing." SMS is a known phishing vector, and a link sent as a text that induced Twitter staff to use their credentials is not hard to imagine. Why they fell for it is harder to contemplate. ®