Analyzing the 2020 Twitter Attack
Jan 20, 2021 • Security Boulevard
On July 15, 2020 the social media platform, Twitter, seemed to be operating normally. The hot topics of the day were about rapper T-Pain’s newest spat with recording artist Travis Scott. Conversations were heated as people tweeted about the London Underground removing Banksy artwork, which was trending. With everything going well, many of the Twitter security team had just started their regular work tasks for the day. That’s when the frantic messages started to arrive. They all said the same thing: “Someone is trying to collect employee credentials”.
This attack was not only sophisticated, but it took the entire world by surprise. What exactly happened? Why was it so successful? Let’s analyze the 2020 Twitter attack.
Early in the day on July 15, a Discord user with the name Kirk#5270 made an exciting post that had an interesting proposal. “I work for Twitter. I can claim any name, let me know if you’re trying to work.” Bragging that he could get control of any account perked some people’s interest. Many replied, “prove it.” Around mid-morning on July 15, some employees at Twitter started to get phone calls. Impersonating internal employees, the callers were contacting those who work in consumer service and tech support.
The instructions were simple – we need you to reset your password. Some flagged the call as suspicious and hung up on the attacker, reporting it to their security teams. However, a few employees were more accommodating. Following the instructions from the caller they went to a spoofed website controlled by the attackers. There they entered their usernames and passwords, as well as their multifactor authentication (MFA) codes. With this small hand full of credentials, the attackers had what they needed to collect the information they desired.
Sophisticated and Targeted
It’s important to note that these phone calls were sophisticated and targeted. The caller leveraged information that he learned in each call to gain new information on his next call. Not all of the employees targeted in the vishing attack had access to in-house tools. However, the information that they could provide allowed the caller to get to employees who did. By using that information, the caller managed to obtain employee credentials who had access to account support tools. This information is exactly what the attacker needed.
By 3:13pm ET, people started noticing some suspicious tweets. The cryptocurrency exchange Binance said that they were going to be “giving back” $52 million of bitcoin to the community. The link that was attached to that tweet lead to a fraudulent website. By 4:17pm, Elon Musk and Bill Gates were tweeting that they were going to be giving away free bitcoin to their followers. By 4:55pm, accounts belonging to Uber, Apple, Kanye West, Jeff Bezos, and Joe Biden were also tweeting the same thing. The security team knew then that “something was going horribly wrong.”
Stop the Scam
The next few hours after the initial attack were chaotic for those on the Twitter team. The chaos of how to stop the attack led to their teams having to make tough decisions. Due to not knowing where the attack was coming from, the security team was left with just a few options, but only one seemed viable. At 6:18pm, the team made the decision to block all verified accounts from tweeting. They also placed restrictions on any account that had recently changed their password.
While this may not seem like a big deal to many reading this, the fact is that it does and did have its consequences. According to a May 2020 report, there are over 330 million monthly active users on Twitter. There are 145 million who use Twitter daily. Many users use Twitter as a main source of breaking news from media outlets, or public safety and emergency updates from government authorities. With Twitter down, the National Weather Service was unable to send out a tornado advisory to warn people of potential dangers. News media companies were unable to keep people updated on breaking news, including what was going on at Twitter at the time.
Twitter found themselves in the same position that many corporations are when they discover a breach. Frantic decisions are made, tradeoffs are discussed, and potential courses of actions are planned. However, as Twitter discovered, the tighter you shut down your internal network, the less you are able to counter the scam. Doing so means you lose the ability to track the perpetrators and, more importantly, figure out who on your team has been compromised. So, with everyone kicked off the internal VPN, they started to use what is called the “zero trust” system. So everyone, starting with CEO Jack Dorsey, was going to log into a video conference with a supervisor. While on the call, they were to manually change their password in front of their supervisor. Once they did this, their services slowly came back online.
It left everyone with one question – who pulled off this sophisticated attack? At first, rumors were flying around that the culprit was a rouge employee, or perhaps professionals. However, to everyone’s surprise the “mastermind” behind the attack was a recent high school graduate, who was only 17 years old. Federal authorities already had information on Graham Ivan Clark and had been following his online activity before the attack. In fact, in April 2020, the Secret Service had seized over $700,000 in Bitcoin from him. For the Twitter attack, Clark had managed to get access to over 100 accounts, had tweeted from 45 of them, gained access to direct messages of 36 of them, and downloaded full information from 7 accounts that he had breached. He also netted around $117,000 in Bitcoin.
Protect Yourself from Vishing
The question everyone was asking was, how did this attack happen? How could a few phone calls lead to the breach of an entire system? Well, let us give you a statistic. According to the 2020 Verizon DBIR, out of 3,950 data breaches, over 22% of all breaches are due to “social attacks.” Social engineering is effective because it targets humans, and humans can be easy to manipulate. This is especially dangerous if, like Twitter, there are too many people who have access to too many things.
Vishing, or phone phishing, isn’t new. In fact, in 2015, it was added as an official word to the dictionary. But the 2020 Twitter attack made it a mainstream name. It also opened a lot of people’s eyes to the true danger of vishing. The attack also proved that all job functions in a company have access to sensitive information, even if the attacker doesn’t realize it. And that information is extremely valuable.
However, if employees understand the threats posed by vishing attacks, they are less likely to disclose vital information to malicious callers. Additionally, they are more likely to report suspicious activity. This is why security programs like Vishing as a Service® (VaaS®) are so important. Having regular vishing training can dramatically reduce the impact of a vishing call and can help protect your corporation’s critical assets and trade secrets.