Comprimised Twitter accounts appeared to announce partnerships with a company called ‘CryptoForHealth’. This false organisation’s website domain was found to have been registered on the 15th July, and claimed to be offering a “5000 Bitcoin giveaway” to help with the hard times of Covid-19.
The accounts concerned included those of companies Coinbase, Binance and Gemini, as well as individuals such as Justin Sun Tron, founder of TRON, and Charlie Lee, founder of LiteCoin.
The accounts of Microsoft co-founder Bill Gates, SpaceX CEO Elon Musk, and Amazon chief Jeff Bezos, were also hijacked.
“Their tweets used the same Bitcoin address we observed on the CryptoForHealth site, indicating that this is likely a coordinated attack,” said Satnam Narang, staff research engineer at Tenable.
“The hackers ask users to send anywhere between 0.1 BTC to 20 BTC to a designated Bitcoin address, and that they’ll double victims’ money. This is a common scam that has persisted for a few years now, where scammers will impersonate notable cryptocurrency figures or individuals. What makes this incident most notable, however, is that the scammers have managed to compromise the legitimate, notable Twitter accounts to launch their scams.
Spearheading the defence against a cyber attack requires c-suite buy-in
“Because the tweets originated from these verified accounts, the chances of users placing their trust in the CryptoForHealth website or the purported Bitcoin address is even greater. This is a fast moving target and so far over $50,000 has been received by the Bitcoin address featured on the CryptoForHealth website and in Elon Musk and Bill Gates’ tweets.
“We strongly advise users never to participate in so-called giveaways or opportunities that claim to double your cryptocurrency because they’re almost always guaranteed to be a scam.”
Reaction from Twitter
Twitter have since announced that they have launched an investigation into the attack, locked down all affected accounts, and deleted tweets posted by the cyber attackers.
Additionally, limits were placed on functionality on all verified accounts while the investigation is ongoing.
This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but we may take further actions and will update you if we do.
— Twitter Support (@TwitterSupport) July 16, 2020
Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.
— Twitter Support (@TwitterSupport) July 16, 2020
Overcoming security issues
Oz Alashe MBE, CEO of Cybsafe, has cited Twitter employees working from home as a possible factor in the social media platform’s back end being infiltrated.
“It’s somewhat odd that criminals had significant access to Twitter’s back-end, and decided to only pull off a cryptocurrency scam,” said Alashe. “The financial reward the criminals have gained at this point is, in cyber security terms, rather small. Perhaps they simply overestimated how much Bitcoin would come in from their fraud. But it’s also possible that more information has been compromised that Twitter doesn’t yet know about. This could be leveraged at a later date.
“Why did this attack happen now? It’s plausible that most Twitter admins are working from home, so have been given remote access to back-end functionality. Situations like this often make employees more vulnerable to social engineering attempts, because there is less direct contact with other internal staff.
“Companies need to ensure that their human cyber security awareness programs have adjusted for the new working from home norm. More large businesses will fall victim to social engineering attacks during this period if they continue to take the same approach to cyber security and their people, compared to before the pandemic.”
Keeping data private and protected when remote working
Dmitry Galov, security researcher at Kaspersky, emphasised the importance of remaining vigilant.
“Hacking into popular accounts to publish scam messages isn’t a new practice, neither is the doubling the donation scam,” said Galov. “What is curious in this case is the scale of the attack and the fact that the actor completely took over the verified accounts – their emails have been changed, so the owners aren’t able to get access back quickly enough.
“This scam was extremely effective – the amount gathered from the victims now equals over $120,000, and this is just in one day.
“I think there are two major takeaways from this incident. First, users need to be aware of scams and stay cautious on social media; they need to be able to recognise them. Second, we need to be extra careful with our online assets—anything critical has to have, at a minimum, two-factor authentication,”