PiChris - Fotolia
The alleged mastermind behind the Twitter breach, which swindled victims out of more than $100,000 in cryptocurrency last month, didn't use computer or malware to gain initial access to the social media company. He used the phone.
The Department of Justice (DoJ) Friday announced charges against three suspects in connection with last month's Twitter breach. Seventeen-year-old Graham Ivan Clark will be charged as an adult for the attack he allegedly "masterminded," according to authorities. The hack involved gaining access to dozens of high-profile accounts including Amazon CEO Jeff Bezos, Tesla and SpaceX CEO Elon Musk, and former President Barack Obama, and then using said accounts to tweet out bitcoin scams that earned threat actors, including Clark, over $100,000.
According to an update from Twitter regarding the attack, the breach was a result of a specific type of social engineering attack: phone phishing. The social media company said the threat actor "targeted a small number of employees through a phone spear phishing attack," and then used employees' credentials to access internal management tools at Twitter to gain control of dozens of accounts.
Clark was arrested in Tampa, Fla., on July 31 and faces numerous charges including one count of organized fraud, one count of accessing a computer or electronic device without authorization, 10 counts of fraudulent use of personal information, and 17 counts of communications fraud.
"This defendant lives here in Tampa, he committed the crime here and he'll be prosecuted here," Hillsborough (Fla.) State Attorney Andrew Warren, who filed charges against Clark, said in a press release.
"Working together [with the FBI and DoJ], we will hold this defendant accountable. Scamming people out of their hard-earned money is always wrong. Whether you're taking advantage of someone in person or on the internet, trying to steal their cash or their cryptocurrency -- it's fraud, it's illegal and you won't get away with it."
Paul DucklinPrincipal research scientist, Sophos
In addition, the DoJ charged two others in connection with the Twitter breach. Mason Sheppard, 19, of Bognor Regis, U.K., was charged with conspiracy to commit wire fraud, conspiracy to commit money laundering and unauthorized access of a computer or electronic device. Nima Fazeli, 22, of Orlando, Fla., was charged with aiding and abetting the unauthorized access.
The details of the Clark's alleged phone phishing attack are still unclear; the DoJ did not release Clark's name or the criminal complaint against him because he is a minor.
The threat of vishing
The attack on July 15 targeted 130 total accounts, with 45 having had Tweets sent by attackers, 36 accounts with their direct message inbox accessed and seven accounts with an archive of their "Your Twitter Data" downloaded, according to Twitter.
While it's unclear how Clark allegedly executed the phone phishing, Twitter said in its update that the attack "relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems."
Maya Levine, technical marketing engineer at Check Point Software Technologies, provided context into how phone phishing or voice phishing (aka "vishing") works.
"This is a social engineering tactic of phishing calls to employees in order to gain trust, harvest details and deceive them to take actions," she said. "Over the last few months, more and more organizations have reported that their employees were targets of such Vishing calls."
James McQuiggan, security awareness advocate with KnowBe4, explained that vishing attacks take substantial work for threat actors to pull off.
"A successful vishing attack is the result of a thorough intelligence gathering or pretexting. Pretexting is when the attacker will use open source techniques and research the organization and its employees on the internet to learn as much about the organization as possible," he said. "They will use that information to call various people within the organization to gain additional information to use towards reaching their goal or target. As they gather internal knowledge from the victim that is not publicly known, this is used to collect the victim's confidence for more knowledge or access to systems."
Melody J. Kaufmann, cybersecurity specialist at identity governance vendor Saviynt, said enterprises are vulnerable to vishing because it can often be an overlooked threat compared to other social engineering attacks.
"Vishing is more insidious because, while many organizations have awareness campaigns to educate their employees about the dangers of phishing links, rarely are variations such as smishing (SMS phishing) and vishing included in those campaigns," she said. "Vishing relies on the fact that rarely do people think of cybersecurity in relation to a voice phone call. This type of social engineering plays on the good intentions and kindness of the human, leveraging sympathy and weaponizing good customer service to steal information or gain access that can lead to a breach."
Paul Ducklin, principal research scientist at Sophos, said enterprises should have some kind of system, either through voice or email, where employees can quickly report suspicious phone calls and raise awareness about a potential vishing campaign.
"Social engineering crooks rarely just try once -- they call and call or email and email again and again until they get where they want to be," Ducklin said. "If anyone who didn't fall for their trickery has a clear way to report a failed attempt, that could be enough of a warning to alert everyone else in the company and head off the attack. Aim to make all of your staff into the cybersecurity 'eyes and ears' of your security team."