Twitter says 'social engineering' led to the massive hack that targeted high-profile accounts like Barack Obama and Jeff Bezos. Here's what the technique involves and how to avoid it.
- Twitter on Wednesday experienced a massive security breach that allowed hackers to perpetuate a bitcoin scam from the accounts of some of the site's most high-profile users, including Barack Obama, Jeff Bezos, and Bill Gates.
- The company said that the hack appears to be the result of a "coordinated social engineering attack" in which the attackers tricked Twitter employees into granting them access to internal tools.
- Social engineering is a technique where hackers manipulate victims in order to obtain information about an organization.
- People can protect themselves by verifying the identity of people who approach them asking for sensitive information about their companies, installing anti-virus software and email filters, and reporting any suspicious requests to their organizations.
Twitter on Wednesday experienced its worst-case scenario: a massive hack that compromised the accounts of some its highest-profile users, including the former President of the United States and the richest person in the world.
The attack involved taking control of the accounts of major tech companies, executives, and politicians, and urging users to send bitcoin to an address with the promise that the payment would be doubled and sent back. The hackers may have tricked Twitter users into giving them more than $120,000, though it's impossible to know for sure.
But the scale of the attack and the position of the victims targeted — including Barack Obama, Jeff Bezos, Elon Musk, Bill Gates, Warren Buffett, and more — called into question how, exactly, it was carried out.
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," Twitter's support account tweeted Wednesday night.
Twitter says the attackers used the access they'd gained to hijack the famous accounts and send tweets. The company said it was looking into what else the hackers may have done while they had control of the accounts, including accessing private information.
What is social engineering?
Social engineering is a particular type of hacking technique where hackers manipulate victims in order to obtain information about an organization.
According to the US Cybersecurity and Infrastructure Security Agency, the attacker will appear "unassuming and respectable," oftentimes posing as a new employee or repair person and offering credentials to appear more legitimate. The attacker is able to gather information about a company's network by asking questions, and may use that information to appear more credible when approaching other employees within an organization, which appears to be what happened at Twitter.
There are several different techniques hackers rely on when attempting to manipulate a victim, according to the European Union's Agency for Cybersecurity, known as ENISA:
- Baiting. The attacker might trick the employee into performing a task by supplying an enticing reward. In ENISA's example, the attacker may give the victim a USB drive labeled "My private pics" that's been infected with a keylogger.
- Pretexting. This could include posing as an IT support worker and requesting an employee's password for system maintenance.
- Tailgating. The attacker may physically follow an employee into an area they wouldn't otherwise have access to. ENISA gives the example of the attacker posing as a worker and carrying something heavy to the door of a restricted area, then asking an employee to let them in with their badge.
- Quid pro quo. The attacker, posing as someone else, might offer money in exchange for an employee's password.
How should you protect yourself?
Experts have several tips for protecting yourself from social engineering techniques. ENISA recommends a mantra of "identify, ignore, and report" when approached by a suspicious person asking for information or to be granted access to a restricted area. It also encourages companies to install security measures on employee devices that block unauthorized software and hardware.
CISA, the US government agency, recommends verifying suspicious requests with the company by contacting it directly. However, CISA notes that you should never use contact information provided on a website that's connected with the request, as it may have been falsified — find the company's contact information yourself.
CISA also urges installing anti-virus software and email filters, and to check a website's security before entering any sensitive information by looking for a URL that begins with "https" — which indicates that a site is secure — and checking for a closed padlock icon, which indicates that your information is encrypted.
Otherwise, you should never provide private information or sensitive information about your company unless you're 100% certain of the identity of the person requesting it, CISA says. Anyone who thinks they've been a victim of this type of attack should report it their organization immediately and change any passwords that may have been affected.