What Happened During The Twitter Spear-Phishing Attack?

The 2020 Twitter spear-phishing attack is a sobering reminder that cybercriminals will use every tool in the shed to infiltrate an organization.

On July 15, 2020, cybercriminals hacked Twitter's systems through social engineering to send Tweets from high-profile accounts, including Joe Biden, Barack Obama, Bill Gates, Elon Musk, Warren Buffett, Kanye West, Apple, and Uber, to name a few.

The Tweet from Barack Obama read:

"I am giving back to my community due to Covid-19! All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000! Only doing this for the next 30 minutes! Enjoy."

All of the Tweets were in a similar vein. Encouraging people to act fast to donate money via Bitcoin under the guise of "doing good."

Twitter is referring to the incident as a "phone spear phishing attack" but is vague about the details of how cybercriminals breached the social network's systems.

‏‏‎ ‎

To keep yourself and your data protected try our 14 day free trial

‏‏‎ ‎‎ ‎

What is a Spear Phishing Attack?

You are probably familiar with a phishing attack, where cybercriminals send out a "spoofed" message (sometimes a phone call) encouraging the victim to click a link or share sensitive information. 

In a typical phishing attack (a type of social engineering), criminals will send these messages en masse and see who "bites." There's no specific target.

A spear-phishing attack is far more sophisticated and targeted. Cybercriminals research an individual or an organization to find vulnerabilities.

These vulnerabilities might be personal information about an individual or how an organization communicates internally. With this information, criminals can customize their spoofed communication to convince the victim it's genuine.

‏‏‎ ‎

Twitter's Phone Spear Phishing Attack

For security reasons, Twitter is withholding the exact details of how the July 2020 spear-phishing attack happened. But from a July 30, 2020 statement, Twitter reveals phone spear-phishing was the method of attack:

"The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear-phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools."

It appears that criminals initially targeted a small group of employees via a phone phishing attack to access Twitter's systems. It's unknown if this was through text or voice calls.

In an official statement, the Department of Justice (DOJ) noted, "...the Twitter attack consisted of a combination of technical breaches and social engineering."

Speculation is that criminals contacted this small group of employees and tricked them into sharing their login credentials

They then used these credentials to infiltrate Twitter's internal support tools to target employees with higher access privileges.

With these high-level credentials, hackers were able to access individual Twitter accounts and unleash their scam.

‏‏‎ ‎

What Information was Compromised in the July 2020 Twitter Hack?

Given the breach of high-profile Twitter accounts and the level of access these criminals had, the consequences of this attack were actually reasonably minor.

The July 2020 Twitter spear-phishing attack by the numbers:

  • 130 Twitter accounts targeted.
  • 45 accounts Tweeted from.
  • 36 accounts had the DM inbox accessed.
  • 8 accounts downloaded "Your Twitter Data." A feature that allows a user to download a snapshot of their account, including account personal information, login history, linked apps and devices, and interests and ads data.
  • 383 Bitcoin transactions were sent to the scammer's account.
  • 12.86 BTC (US$117,000 at the time) stolen from victims following the Tweets' instructions.

It appears the attackers got away with a minimal amount of data—36 DM inboxes and the eight accounts where hackers downloaded "Your Twitter Data." 

According to Twitter, "None of the eight were verified accounts." Meaning that the data downloaded wasn't from any of the high-profile accounts with the verified "blue checkmark."

‏‏‎ ‎

Who was Behind the 2020 Twitter Spear-Phishing Attack?

To date (August 2021), four people have been arrested for the Twitter spear-phishing attack. 

The mastermind behind the Twitter attack is Graham Ivan Clark of Tampa, Florida, only 17 at the time of the attack. Authorities believe Clark is responsible for the spear-phishing attack on Twitter employees, where he gained access to internal systems. 

Clark then posed as a Twitter employee on chat forums selling Twitter handles and account access to the other three perpetrators who carried out the Bitcoin scams.

19-year-old Mason Sheppard and 22-year-old Joseph O'Connor of the United Kingdom were responsible for the Bitcoin scam, while 22-year-old Nima Fazeli acted as a broker for Clark. 

O'Connor was the only perpetrator known to authorities before the 2020 attack. Under the online handle, PlugWalkJoe, O'Connor was allegedly involved in SIM-swapping attacks to access social media accounts. 

In a bizarre interview with the New York Times shortly after the 2020 attack, O'Connor confirmed he was PlugWalkJoe and that Twitter staff credentials were stolen during the 2020 attack. He went on to say, "I don't care. They can come arrest me. I would laugh at them. I haven't done anything."

The police decided to take O'Connor up on that offer and arrested him in Estepona, Spain, on July 21, 2021. O'Connor is waiting for extradition to the United States on multiple cybercrime charges.

‏‏‎ ‎

To keep yourself protected from spear-phishing attacks click here to try TeamPassword's free trial.

‏‏‎ ‎

What was the Fallout of the Twitter Spear Phishing Attack?

It's alarming how easy it was for a lone 17-year-old low-level hacker to access Twitter's systems. Tweeting from these authoritative accounts can crash financial systems or start wars, which is why the full arm of the law came down on these four young perpetrators.

The Twitter spear-phishing attack involved multiple federal agencies, including the FBI, IRS, US Secret Service, and Florida law enforcement. Not to mention the British and Spanish agencies responsible for apprehending the two British nationals involved.

There was a mix of anger and confusion from the public and those targeted. The most perplexing thing for many was that most of the verified accounts had two-factor authentication set up on their accounts.

The criminals could change email addresses, and contact numbers on the accounts without a notification sent to the account holder. According to two ex-Twitter employees, more than 1,000 Twitter employees and contractors had access to change user accounts settings.

Edward Amoroso, a former chief security officer at AT&T, told Reuters, "That sounds like there are too many people with access...In order to do cybersecurity right, you can't forget the boring stuff."

By Twitter providing such broad access, it makes it difficult to prevent an attack like this. Twitter has a logging system to aid with investigations but, at the time of the attack, nothing to alert or notify relevant departments when someone makes changes to a user's account internally.

‏‏‎ ‎

Action Taken by Twitter

In a blog post from July 30, 2020, Twitter announced they had taken access to limit access to internal systems. For a short time, some of Twitter's features were unavailable while they made security improvements.

"Since the attack, we've significantly limited access to our internal tools and systems to ensure ongoing account security while we complete our investigation... We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams."

Twitter is also working on programs to educate its workforce on cybersecurity and how to avoid phishing.

‏‏‎ ‎

Is Your Business Protected Against Spear Phishing Attacks?

If this sort of spear-phishing attack could happen at Twitter, it could happen to any business. Luckily, it's not difficult to put simple measures in place to mitigate a breach like the Twitter hack of 2020.

Using a Password Manager to Control Access

Using a password manager is a secure way to share access with employees and freelancers. With TeamPassword, you can grant and revoke access with a simple click.

You can create groups inside your TeamManager account, so you only share access with those who need it. If you hire a freelancer or contractor, you can add them to the group and remove them when they complete the job.

A detailed log records every action and user's activity, and you can set up email notifications for just about any action on TeamPassword. This tracking would allow you to stay ahead of any unauthorized sharing or access.

Secure 2FA

TeamPassword features 2FA to add an extra layer of security to your password manager. By adding an extra layer of protection, you minimize the risk of unauthorized access, even if an attacker steals an employee's password.

Creating Secure Passwords

One of TeamPasswords best features is its built-in password generator. Create robust 12-32 character passwords for any social media account, website, or application, and then share access to all users with just one click.

With TeamPassword, the passwords aren't visible to team members, so no need to worry about unauthorized sharing. When someone leaves your team, simply delete them from TeamPassword, and they no longer have access.

‏‏‎ ‎

Secure Your Business with TeamPassword

If there is one thing we have learned from Twitter's spear-phishing attack, it's crucial companies actively promote cybersecurity awareness to employees and put systems in place to prevent cybersecurity vulnerabilities.

Start your free TeamPassword trial today and build a robust working environment with TeamPassword.