08/21/2020

The Attack That Broke Twitter Is Hitting Dozens of Companies

“Phone spear phishing” attacks have been on the rise

When law enforcement arrested three alleged young hackers in the US and the UK last month, the story of the worst-known hack of Twitter's systems seemed to have drawn to a tidy close. But in fact, the technique that allowed hackers to take control of the accounts of Joe Biden, Jeff Bezos, Elon Musk, and dozens of others is still in use against a broad array of victims, in a series of attacks that began well before Twitter's blowup, and in recent weeks has escalated into a full-blown crime wave.

In mid-July, Twitter revealed that hackers had used a technique against it called "phone spear phishing," allowing the attackers to target the accounts of 130 people including CEOs, celebrities, and politicians. The hackers successfully took control of 45 of those accounts and used them send tweets promoting a basic bitcoin scam. The hackers, Twitter wrote in a postmortem blog post about the incident, had called up Twitter staffers and, using false identities, tricked them into giving up credentials that gave the attackers access to an internal company tool that let them reset the passwords and two-factor authentication setups of targeted user accounts.

But Twitter is hardly the only recent target of "phone spear phishing," also sometimes known as "vishing," for "voice phishing," a form of social engineering. In just the past month since the Twitter hack unfolded, dozens of companies—including banks, cryptocurrency exchanges, and web hosting firms—have been targeted with the same hacking playbook, according to three investigators in a cybersecurity industry group that's been working with victims and law enforcement to track the attacks. As in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools. Then the attackers have sold that access to others who have typically used it to target high-net-worth users of the company's services—most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services.

Please select this link to read the complete article from WIRED.