By Dave McKay | July 31, 2020
Social Engineering Attack Vector
Twitter have declared that the route taken by the threat actors who pulled off this month’s Twitter hack and Bitcoin scam was social engineering. They made convincing but bogus phone calls to Twitter employees and managed to convince them to reveal their credentials.
According to Twitter, the social engineering attack gave the threat actors the credentials of a limited set of employees, making it possible for the bad guys to access Twitter’s internal network and support tools. They had the keys to the kingdom.
“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes,” Twitter said. “This knowledge then enabled them to target additional employees who did have access to our account support tools.”
The threat actors targeted 130 celebrity and high-profile Twitter accounts, sending tweets from 45 of them urging followers to send in Bitcoin so that it could be sent back doubled.
Your Staff Are on the Front Line
Your employees need to be trained to spot the signs of common cyberattacks, including phishing attacks and social engineering. And the training should be topped up periodically.
We can do the training for you, and we can also perform covert susceptibility testing to see whether the message has sunk in.
Don’t hesitate to contact us for a pressure-free discussion of your needs.
Source: BleepingComputer