Joe Biden, Bill Gates, Barack Obama, Elon Musk Among Those Affected by Hacking
Several prominent business executives, politicians and celebrities, including former Vice President Joe Biden, former President Barack Obama, Tesla CEO Elon Musk and Microsoft’s Bill Gates, had their verified Twitter accounts hijacked Wednesday in what appears to be a cryptocurrency scam, according to multiple media reports and screen shots posted online.
For several hours Wednesday, verified accounts belonging to Biden, Gates, Musk, as well as the corporate accounts of Apple, Uber and others, posted messages to their followers about sending money to a certain blockchain address with the promise of doubling the amount in return, according to CNN and others news reports.
“I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000,” according to the message posted on the verified Bill Gates Twitter account. Other well-known accounts posted similar messages Wednesday.
For several hours Wednesday, Twitter stopped certain verified accounts from tweeting, as passwords were reset, according to a company statement. By the end of Wednesday, most of the issues had been resolved and the scam messages deleted, the social media company says.
Twitter also announced an investigation into what happened and how this scam became widespread among so many prominent and verified accounts. The social media company did not immediately respond to a message from Information Security Media Group seeking additional comment.
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
— Twitter Support (@TwitterSupport) July 15, 2020
It’s not clear who might have hijacked or hacked all these accounts, however, it does seem as if some of these messages were successful in scamming people out of their money. Bleeping Computer reported that one blockchain address associated with the hijacking incidents appears to have collected 11 bitcoins worth over $100,000 by the time the scam finished.
Security firm RiskIQ posted a list of some 400 suspicious domains that its researchers believe are connected to the infrastructure that the hackers used to compromise the accounts and create the blockchain addresses.
While Twitter does provide its users with some security features such as two-factor authentication, the company has witnessed some notable failures of its security protocols. In September 2019, the official Twitter account of CEO Jack Dorsey was hijacked for a short period and used to send out racist and profane-laden messages (see: Hey Jack, How Was Your Account Hacked?).
Did Two-Factor Fail?
While verified Twitter accounts should have two-factor authentication enabled, this latest security incident seems to show that these high-profile users, or their social media teams, are not using this basic level of protection, says Chris Pierson, the CEO and founder of cybersecurity firm BlackCloak, which focuses on executive security.
“This appears to be poor planning and control mitigation for some really high-profile persons’ accounts or unsecured access through ancillary applications. Either way, this could have been prevented,” Pierson tells Information Security Media Group.
Pierson adds that these types of high-profile accounts need constant security attention since attackers change their methods frequently. This also helps protect followers who might be taken in by such scams.
“Securing their social media accounts is critical given their followers, risks for malware in phishing links, and really their reputation,” Pierson says.
Brandon Hoffman, the CISO and head of security strategy at Netenrich, a security firm based in San Jose, says that while a failure to enable two-factor authentication may have played a role, it’s also possible that a Twitter employee’s credentials could have been compromised. This could then give attackers access through the social media company’s internal IT network.
“In the end I think we will find out that somehow credentials were stolen, either from an employee or from the account holders themselves through a variety of methods,” Hoffman tells ISMG. “The credentials were probably offered for sale on the dark web in piecemeal form, and a cybercriminal with vision bought them for this campaign.”
Kelvin Coleman, executive director at National Cybersecurity Alliance, also believes the security breach points to a Twitter employee whose credentials may have been compromised.
“While it’s unclear what the source of the ongoing Twitter crypto scam attack is – the size and scale of an operation like this seem to potentially point to an employee’s compromised credentials – it’s very likely due to something as simple as falling victim to a phishing attack,” Coleman says. “This then allowed a single bad actor or group broad access into these accounts from the inside.”
Other security researchers, such as Troy Mursch of Bad Packets, put the blame squarely on Twitter itself and its security policies.
Rest assured, Twitter takes your account privacy and security very seriously.
— Bad Packets (@bad_packets) July 15, 2020
Over the years, Twitter has attempted to include more security for users, especially those with verified and high-profile accounts. In September 2019, the social media firm announced that it would do away with needing a phone number for its two-factor authentication. This was an attempt to stop attacks such as SIM swapping, where attackers take control of a target’s phone number and then intercept all two-factor codes that get sent to it (see: Twitter No Longer Wants a Phone Number for 2FA).