Twitter hackers posed as IT staff, used VPN issues as a lure

An investigation behind this summer's highly publicized Twitter attack revealed how hackers managed to gain access to the social media company's internal administrative tools

New York State's Department of Financial Services (DFS) released an investigation report Wednesday detailing their findings surrounding the July 16 Twitter breach in which hackers scammed Twitter users out of over $118,000 worth of bitcoin.

In the incident, a group of hackers led by a 17-year-old conducted a successful vishing attack that allowed them to breach Twitter's network and, as a result, send tweets from numerous high-profile accounts including former president Barack Obama and Tesla CEO Elon Musk, among others. The tweets asked users to send bitcoin to an address in order to see it doubled. Of course, no cryptocurrency was ever doubled and returned.

The report offers a deep dive into the social engineering attack, including how the attack was actually pulled off.

According to the report, "one or more" hackers called multiple Twitter employees claiming to be from Twitter's IT department help desk. The problem: VPN issues.

"The Hackers claimed they were responding to a reported problem the employee was having with Twitter's Virtual Private Network ('VPN'). Since switching to remote working, VPN problems were common at Twitter," the report stated.

"The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA notification requesting that the employees authenticate themselves, which some of the employees did."

The report concluded that there was no evidence that any employees knowingly assisted the Twitter hackers with the attack. Instead, what hackers did was utilize personal information about the employees in an attempt to convince them of the hackers' legitimacy. The report notes that, "While some employees reported the calls to Twitter's internal fraud monitoring team, at least one employee believed the Hackers' lies."

It's unclear what actions were taken by Twitter's internal fraud monitoring team after being alerted to the vishing attempts. The DFS report does not specify what steps, if any, the team took to assess and mitigate the threat.

The report also noted that the first Twitter employee whose account was compromised did not have access to the social media company's administrative tools. "Instead, the Hackers used this initial compromise to navigate Twitter's internal websites and learn more about Twitter's information systems. The Hackers reviewed Twitter's intranet websites containing information about how to access other internal applications," the report said.

Exposed or stolen credentials, particularly for administrative accounts, have become a growing problem for organizations in recent years. According to the 2020 Verizon Data Breach Investigations Report, 37% of data breaches involve the use of stolen credentials, up from 29% in 2019. That number jumps up to over 80% when brute-forcing and exposed credentials are included alongside outright credential theft.