Share:

By Aaron Higbee

On July 15, 2020 a small number of Twitter employees were duped in a successful spear phishing attack which Twitter is now calling a “phone spear phish”. There is a mention of a phone, but Twitter didn’t elaborate on what role a phone played. (SIM swap? Misleading link via SMS to a credential phishing page?) Regardless, phishing resulted in stolen Twitter employee credentials. Attackers used the stolen credentials to access internal systems and gain information about Twitter processes, then targeted additional employees to breach account support tools. Scam tweets were sent from dozens of major accounts and the hackers quickly received hundreds of bitcoin transfers worth over $115,000. This type of attack is not unusual as 74% of real phish are credential phish.

Human Vulnerabilities

Twitter has now provided limited detail about the specific technique used in the spear phishing attack and has not disclosed how many employees or contractors have access to its account support tools. Broad levels of access can pose challenges to defending against phishing. Twitter shared, “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” and called the incident “a striking reminder of how important each person on our team is in protecting our service”. The attack resulted in:

  • 130 accounts targeted
  • 45 accounts had Tweets sent by attackers
  • 36 accounts had the DM inbox accessed
  • 8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified
  • Crypto transfers exceeding $115,000.
  • Untold brand damage to Twitter

Human Informants?

In the blog post, Twitter didn’t mention how many Twitter employees were targeted in the phishing campaigns, how many of those employees reported the phishing attempts, and whether or not Twitter security operations were tooled up to act on employee reports of phishing.

In the Cofense annual report on employee phishing resiliency, you might be surprised to see that Technology companies tend to be on the lower end of industry benchmarks.

Too Much Access?

Twitter admits concern around their tools and levels of employee access, yet goes on to claim that access to proprietary tools is “strictly limited and only granted for valid business reasons”. Twitter advises that they have now “significantly limited access to our internal tools and systems” while they complete their investigation, citing “we have teams around the world” that help with account support. Users with account support needs, reported Tweets and applications to Twitter’s developer platform can expect delays. Twitter is focused on restoring access for all account owners who may still be locked out.

Portrait of a Phish

Whether the hackers gained access via phone, a personal device, or office computer, the aim of the attack was to obtain employee credentials. Twitter advises that although their tools, controls, and processes are constantly being updated and improved, they are now “taking a hard look” at how they can make them even more sophisticated.

The specifics of the phish that evaded security controls are vague. Spear phishing tends to be more targeted and dangerous than a typical phishing attack, because the phishing emails are highly believable when tailored to individuals or small, specific groups of people. “Phone phishing” is messy infosec jargon that tends to be a catch-all for all things social engineering that involve a mobile device. A phish via phone could appear to be many things: a message from support requesting credentials for an update, an SMS phish linking the user to a false company login page, or an actual phone call from a friendly colleague requesting login information.

If employees are unaware of the role they play in data breaches, they are more likely to fall for these scams. No amount of security controls can fully secure a network unless employees are also seen as the frontline in phishing defense. Twitter needs to consider building employee resilience to phishing in their plan to become more sophisticated.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.