Twitter locked down thousands of verified accounts belonging to elite Twitter users and high-profile companies Wednesday afternoon in an effort to prevent hackers from perpetrating a massive cryptocurrency scam. The accounts fell victim to a compromise of the company’s internal systems by a group of unidentified hackers that managed to gain access to Twitter company tools and secured employee privileges.
Late Wednesday, the accounts of Bill Gates, Elon Musk, Apple and Uber and many other high-profile Twitter users fell victim to the attack on Twitter’s back end. Tweets sent from those hijacked account each promoted an advance fee cryptocurrency scam, promising to double the value of Bitcoin currency sent to one specific wallet.
“This is 100 percent unprecedented,” said Satnam Narang, staff research engineer at Tenable. “We have never seen such a large and simultaneous number of Twitter accounts hijacked at the same time,” he told Threatpost.
By late Wednesday night Twitter released a series of tweets explaining the compromised accounts were the result of a social engineering attack.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the company tweeted. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.”
The attacks began around 3 p.m. (ET) Wednesday, according the Narang, and first targeted accounts @bitcoin, @ripple, @coindesk, @coinbase and @binance. Tweets sent from those hijacked accounts urged followers of those cryptocurrency accounts to visit the website CryptoForHealth.
“We have partnered with CryptoForHealth and are giving back 5000 BTC to the community,” read a typical tweet. The site linked to a Bitcoin wallet address.
Within hours the website was taken down. But soon after the site was taken down a barrage of verified Twitter user accounts began sending out a similar message promoting the same scam. Bill Gates’ Twitter account, for example, tweeted: “Everyone is asking me to give back, and now is the time. I’m doubling all payments sent to my BTC address for the next 30 minutes.”
At the time, Twitter acknowledged the mass account takeover in a tweet stating: “We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.” In a followup tweet, the Twitter Support team said, “You may be unable to Tweet or reset your password while we review and address this incident.”
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
— Twitter Support (@TwitterSupport) July 15, 2020
In an attempt to thwart the scammers Twitter “locked down” its verified accounts. Other efforts were made by digital currency exchange Coinbase, which prevented users to send money to the Bitcoin address.
“Because the tweets originated from these verified accounts, the chances of users placing their trust in the CryptoForHealth website or the purported Bitcoin address is even greater,” Narang said.
“This is a fast moving target and so far over $50,000 has been received by the Bitcoin address featured on the CryptoForHealth website and in Elon and Bill Gates’ tweets.”
The news agency Bloomberg was reporting at 4:45 p.m. (ET) that the Bitcoin address had amassed 12 Bitcoins, worth approximately $110,000.
Notable Twitter accounts hijacked include: Joe Biden, Kim Kardashian West, Wiz Khalifa, Warren Buffett, Apple, Wendy’s, Jeff Bezos, Binance, Barack Obama, and Mike Bloomberg.
James McQuiggan, security awareness advocate at KnowBe4, said the attack on Twitter could be tied to a third-party access system allowing a hacker to gain access to accounts. That theory, along with other plausible explanations of the compromised accounts, were put to rest when Twitter stated the attacks were social engineering based. However, many questions remain on how exactly hackers were able to infiltrate one of the world’s largest social media platforms.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
“A much larger concerning notion could be cyber criminals have had access to these accounts or possibly worked their way into a Twitter employee account, and inevitably worked their way into the Twitter backend’s administrative systems,” McQuiggan said.
McQuiggan’s theory is bolstered by reporting by Motherboard who reported late Wednesday hackers convinced a Twitter employee to help them hijack accounts. According to the report, hackers coordinate with a Twitter insider and paid them money for the back-end access. Screenshots of the Twitter account of Binance were supplied to Motherboard reporters by four unidentified hackers. The screenshots, according to the report, showed hackers controlling an internal Twitter tool used to hijack the accounts.
Earlier this year, more than a dozen Twitter accounts of NFL teams were hacked. A self-proclaimed “white hat” hacker group called OurMine Security claimed responsibility and used the incident to promote its own cybersecurity services.
Kelvin Coleman, executive director at National Cybersecurity Alliance, said on Wednesday the size and scope of the account takeovers suggested the account takeovers were tied to an employee’s compromised credentials. He said the attack was “very likely due to something as simple as [an Twitter employee] falling victim to a phishing attack — that then allowed a single bad actor or group broad access into these accounts from the inside. Other platforms should take this as a significant learning experience to ensure a breach to this magnitude doesn’t occur again.”
(This article was updated Thursday July 16 at 1:45 a.m. ET with comments from Twitter)