On July 17, 130 high-profile Twitter accounts were hijacked for the purpose of tweeting messages that solicited cryptocurrency scams.
As a result, 12.58 bitcoin BTCUSD, 1.97%, or close to $116,000, went to addresses mentioned in fraudulent tweets. According to an official tweet, the social-networking service fell victim to “… a coordinated social engineering attack by people who successfully targeted some of employees with access to internal systems and tools.”
In a statement on its ongoing investigation into the July 15 incident, Twitter said it resulted from a small number of employees being manipulated through a social engineering scheme. Twitter said at least 130 accounts were targeted by the attackers, who succeeded in sending out unauthorized tweets from 45 of them and may have been able to view additional information about those accounts, such as direct messages.
On eight of the compromised accounts, Twitter said, the attackers managed to download the account history using the Your Twitter Data tool. Twitter added that it is working with law enforcement and is rolling out additional company-wide training to guard against social engineering tactics.
The first public signs of the intrusion came around 3 PM EDT, when the Twitter account for the cryptocurrency exchange Binance tweeted a message saying it had partnered with “CryptoForHealth” to give back 5000 bitcoin to the community, with a link where people could donate or send money.
Minutes after that, similar tweets went out from the accounts of other cryptocurrency exchanges, and from the Twitter accounts for democratic presidential candidate Joe Biden, Amazon CEO Jeff Bezos, President Barack Obama, Tesla CEO Elon Musk, former New York Mayor Michael Bloomberg and investment mogul Warren Buffett.
There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping,” an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.
The Twitter Admin Panel
According to almost every report, the hackers were able to takeover the twitter accounts, by having access to a twitter admin panel, accessible only by employees.
They used this panel to change the recovery emails registered to each account, and then proceeded to reset the password to each of those accounts. Making sure that the recovery email landed in their inbox instead.
This allowed the attackers to gain complete control of the twitter accounts, giving them access to all private messages and the ability to post tweets. The hackers also showed a snippet of the admin panel on a hacking forum named OGUsers.
As previously stated they got access to this admin panel through credentials stolen from actual twitter employees through a series of social engieering attacks.