The hackers behind this month’s epic Twitter breach targeted a small number of employees through a “phone spear phishing attack,” the social media site said on Thursday night. When the pilfered employee credentials failed to give access to account support tools, the hackers targeted additional workers who had the permissions needed to access the tools.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter officials wrote in a post. “This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.”
Thursday’s update also disclosed that the hackers downloaded personal data from seven of the accounts, but didn’t say which ones.
The post was the latest update in the investigation into the July 15 hack that hijacked accounts belonging to some of the world’s best-known celebrities, politicians, and executives and caused them to tweet links to Bitcoin scams. A small sampling of the account holders included former Vice President Joe Biden, philanthropist and Microsoft founder and former CEO, and Chairman Bill Gates, Tesla founder Elon Musk, and pop star Kanye West.
It took hours for Twitter to return control of the accounts to their rightful owners. In some cases, the hackers regained control of accounts even after they had been recovered, resulting in a tug of war between the intruders and company employees.
Hours after containing the breach, Twitter said the incident was the result of it losing control of its internal administrative systems to hackers who either paid, tricked, or coerced one or more company employees. Company officials have provided regular updates since then. The most recent one came last week, when Twitter said the hackers used their access to read private messages from 36 hijacked accounts and that phone numbers and other private messages from 130 affected users were viewable.
Free employee rein
Critics said the incident showed that Twitter hasn’t implemented proper controls to prevent sensitive user information from falling into the hands of company insiders or people who target them. Twitter has vowed to investigate how the outsiders gained access to sensitive internal systems and take steps to prevent similar attacks in the future.
Thursday’s update provided more color about how internal systems and account tools work. It said:
A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
The update said that since the attack, the company has “significantly” limited employees’ access to internal tools and systems while the investigation continues. The restrictions are primarily affecting a feature that lets users download their Twitter data, but other services will also be temporarily limited.
“We will be slower to respond to account support needs, reported Tweets, and applications to our developer platform,” the update said. “We’re sorry for any delays this causes, but we believe it’s a necessary precaution as we make durable changes to our processes and tooling as a result of this incident. We will gradually resume our normal response times when we’re confident it’s safe to do so. Thank you for your patience as we work through this.”
Thursday night’s post also said that the company is accelerating unspecified and “pre-existing security workstreams and improvements to our tools” and prioritizing security work across various teams. Twitter is also improving ways to detect and prevent “inappropriate” access to internal systems.
Twitter accounts of the rich and famous—including Elon Musk, Bill Gates, Jeff Bezos, and Joe Biden—were simultaneously hijacked on Wednesday and used to push cryptocurrency scams.
As of 3:58pm California time, one wallet address used to receive victim’s digital coin had received more than $118,000, though it wasn’t clear all of it came from people who fell for the scam. The bitcoin came from 356 transactions that all occurred over about a four-hour span on Tuesday. The wallet address appeared in tweets from at least 15 accounts—some with tens of millions of followers—that promoted fraudulent incentives to transfer money. At least one other Bitcoin wallet was used in the mass scam.
“I’m giving back to all my followers,” one now-deleted tweet from Musk’s account said. “I am doubling all payments sent to the Bitcoin address below. You send 0.1 BTC, I send 0.2 BTC back!” A tweet from the Bezos account said the same thing. “Everyone is asking me to give back, and now is the time,” a Gates tweet said. “I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000.”
Another variation of the scam promoted a partnered initiative that pledged to donate 5,000 BTC to the community and included a domain link to send money. The domain was quickly suspended. This variation came early in the hijacking spree and appeared to affect only cryptocurrency-related businesses, including Binance and Gemini.
Other hijacked accounts belonged to Barack Obama, Mike Bloomberg, Apple, Kanye West, Kim Kardashian West, Wiz Khalifa, Warren Buffett, YouTube personality MrBeast, Wendy’s, Uber, CashApp, and a raft of cryptocurrency entrepreneurs. Here’s a sampling of some of the scammy tweets:
At 2:58 PM California time, Musk’s account continued to pump out fraudulent tweets, despite the mass account hijackings being two hours old. What’s more, a screenshot tweeted by a security researcher showed that attackers have changed associated email addresses of some of the hijacked accounts.
That so many social media accounts were taken over in such a short time and remained hijacked for so long is extraordinary if not unprecedented. Previous hijackings that happened to one or two high-profile accounts to promote scams were the result of phishing attacks or the accounts being protected by weak passwords. And in almost all cases, the rightful account holders quickly regained control.
The ability of the attackers to regain control of accounts was also highly unusual. The compromise of so many accounts—many belonging to people who are seasoned in the importance of having good security hygiene—raised serious questions that the compromises were the result of a breach of Twitter’s infrastructure.
A Twitter spokeswoman said company personnel are looking into the cause and would respond soon.
A statement Binance issued said its personnel “confirmed that this Twitter breach was not caused by a vulnerability of Binance’s platform or team members.” The statement didn’t provide any other details about the cause of the hijacking. Binance went on to say: “Our security team has verified that there are zero Binance accounts/users who have sent funds to the hacker’s wallet addresses. The hacker’s wallets are not associated with Binance, and we have prevented all Binance wallet addresses from depositing assets into the hacker’s addresses.”
Emails to some of the other affected account holders weren’t immediately returned.
A spokeswoman for security firm RiskIQ said company researchers were able to track the infrastructure belonging to the party behind Wednesday’s large-scale hack. So far, they have compiled a list of more than 400 associated domains that included cryptoforhealth.com. the site included in the fraudulent tweet from Binance and other cryptocurrency businesses. Many of the domains didn’t respond, while others led to browser warnings like the one below.
As the hijackings continued, Twitter said that while it investigated, it was suspending the ability of many but not all Twitter users to tweet or respond to tweets. Accounts belonging to verified users were unable to tweet or reply to other tweets. Instead they got a message that said: “This request looks like it might be automated. To protect our users from spam and other malicious activity, we can’t complete this action right now. Please try again later.” The suspension didn’t apply to retweets or direct messages. Unverified accounts worked normally.
This is a developing story. This post will be updated as more details become available.
It’s no secret that every major social media platform is chock-full of bad actors, fake accounts, and bots. The big companies continually pledge to do a better job weeding out organized networks of fake accounts, but a new report confirms what many of us have long suspected: they’re pretty terrible at doing so.
The report comes this week from researchers with the NATO Strategic Communication Centre of Excellence (StratCom). Through the four-month period between May and August of this year, the research team conducted an experiment to see just how easy it is to buy your way into a network of fake accounts and how hard it is to get social media platforms to do anything about it.
The research team spent €300 (about $332) to purchase engagement on Facebook, Instagram, Twitter, and YouTube, the report (PDF) explains. That sum bought 3,520 comments, 25,750 likes, 20,000 views, and 5,100 followers. They then used those interactions to work backward to about 19,000 inauthentic accounts that were used for social media manipulation purposes.
About a month after buying all that engagement, the research team looked at the status of all those fake accounts and found that about 80 percent were still active. So they reported a sample selection of those accounts to the platforms as fraudulent. Then came the most damning statistic: three weeks after being reported as fake, 95 percent of the fake accounts were still active.
“Based on this experiment and several other studies we have conducted over the last two years, we assess that Facebook, Instagram, Twitter, and YouTube are still failing to adequately counter inauthentic behavior on their platforms,” the researchers concluded. “Self-regulation is not working.”
Too big to govern
The social media platforms are fighting a distinctly uphill battle. The scale of Facebook’s challenge, in particular, is enormous. The company boasts 2.2 billion daily users of its combined platforms. Broken down by platform, the original big blue Facebook app has about 2.45 billion monthly active users, and Instagram has more than one billion.
Facebook frequently posts status updates about “removing coordinated inauthentic behavior” from its services. Each of those updates, however, tends to snag between a few dozen and a few hundred accounts, pages, and groups, usually sponsored by foreign actors. That’s barely a drop in the bucket just compared to the 19,000 fake accounts that one research study uncovered from one $300 outlay, let alone the vast ocean of other fake accounts out there in the world.
The issue, however, is both serious and pressing. A majority of the accounts found in this study were engaged in commercial behavior rather than political troublemaking. But attempted foreign interference in both a crucial national election on the horizon in the UK this month and the high-stakes US federal election next year is all but guaranteed.
The Senate Intelligence Committee’s report (PDF) on social media interference in the 2016 US election is expansive and thorough. The committee determined Russia’s Internet Research Agency (IRA) used social media to “conduct an information warfare campaign designed to spread disinformation and societal division in the United States,” including targeted ads, fake news articles, and other tactics. The IRA used and uses several different platforms, the committee found, but its primary vectors are Facebook and Instagram.
Facebook has promised to crack down hard on coordinated inauthentic behavior heading into the 2020 US election, but its challenges with content moderation are by now legendary. Working conditions for the company’s legions of contract content moderators are terrible, as repeatedly reported—and it’s hard to imagine the number of humans you’d need to review literally trillions of pieces of content posted every day. Using software tools to recognize and block inauthentic actors is obviously the only way to capture it at any meaningful scale, but the development of those tools is clearly also still a work in progress.
Elon Musk has never been someone to back down from a fight. On Tuesday, Musk’s confrontational personality brought him to a Los Angeles federal courtroom to testify in a defamation lawsuit brought by British cave explorer Vernon Unsworth. Musk told the court that he didn’t intend for people to take it literally when he labeled Unsworth a “pedo guy” on Twitter, a site where he had more than 20 million followers.
Musk’s feud with Unsworth began in July 2018, when Unsworth and Musk were both trying to help a dozen boys trapped in a flooded cave in Thailand. Unsworth, who had years of prior experience with the cave, advised authorities on the rescue effort. Meanwhile, Musk assembled a team of SpaceX engineers to construct a “miniature submarine” to aid in the rescue efforts.
The submarine was never used; rescuers had already rescued the boys by the time it arrived in Thailand. When Unsworth was asked about Musk’s invention on CNN, he scoffed. The contraption had “absolutely no chance of working,” Unsworth said, adding that Musk should “stick his submarine where it hurts.”
Musk responded angrily on Twitter, vowing to demonstrate that the submarine could have squeezed through the tightest passages on the rescue route. “Sorry pedo guy, you really did ask for it,” Musk added.
In his Tuesday court testimony, Musk said that he was merely trading one schoolyard taunt for another. Unsworth’s comments were “an unprovoked attack on what was a good-natured attempt to help the kids,” Musk told the court. “It was wrong and insulting, and so I insulted him back.”
“I thought he was just some random creepy guy,” Musk said, according to Reuters. “I thought at the time that he was unrelated to the rescue.”
“I knew he didn’t literally mean to sodomize me with a submarine, just as I didn’t literally mean he was a pedophile,” Musk said.
“I fucking hope he sues me”
But Unsworth’s lawyers have pointed to a string of subsequent statements that suggest Musk did mean it literally.
“Bet ya a signed dollar it’s true,” Musk tweeted when someone objected to his use of the phrase “pedo guy.” In a tweet a month later, he asked: “You don’t think it’s strange he hasn’t sued me?”
Then in an email to BuzzFeed reporter Ryan Mac, Musk claimed that Unsworth traveled “to Chiang Rai for a child bride who was about 12 years old at the time” and described Unsworth as a “child rapist.” (Unsworth has denied these claims.)
“I fucking hope he sues me,” Musk wrote. Musk labeled his email “off the record.” But Mac, who hadn’t agreed to keep the exchange confidential, published it anyway.
In October this year, Mac revealed Musk’s source for these explosive charges: a $50,000 private investigator Musk hired to dig up dirt on Unsworth. Musk argues that his later statements were based on the investigator’s preliminary findings. But the investigator turned out to have a felony fraud conviction, and he never turned up evidence supporting the claims. Unsworth’s wife says she was actually 33, not 12, when she met Unsworth.
“Joking, taunting tweets”
In his opening statement, Musk’s lawyer argued that his tweets were not allegations of criminal behavior by Unsworth. “They’re joking, taunting tweets in a fight between men,” he said.
He also accused Unsworth of wanting to “milk his 15 minutes of fame,” according to the New York Post.
But an attorney for Unsworth portrayed Musk as vain and vindictive. He said Unsworth sued Musk for “accusing him of being a pedophile in what should have been the proudest moment of his life.” Musk’s tweets caused Unsworth “shame, mortification, worry, and distress,” the lawyer told jurors.
Musk’s high profile has made it difficult for the court to assemble an impartial jury. One potential juror was dismissed because he had an interview scheduled at SpaceX later in the month. Others were dismissed because they followed Musk on Twitter and had followed the case. Another prospect was let go after admitting she had strong opinions about billionaires.