Less than a week ago, Twitter fell victim to a monumental security breach that saw hackers successfully orchestrate a social engineering attack and take over high-profile Twitter user accounts, including world-renowned companies like Apple and business magnates like Bill Gates and Elon Musk.
The cybercriminals used that access to launch a bitcoin scam that generated over $120,000. The attack is just one example of an emerging trend of social engineering threats. A 2019 report identified attempts to compromise Microsoft Office 365 administrator accounts as part of a broad phishing campaign.
The Social Media Compromise incident is the equivalent tactic to the Business Email Compromise method social engineers use to establish trust with their targets. It also underscores the importance of adding protection against social engineering attacks to your organization’s cyber security strategy.
This article will take a closer look at how the Twitter hack happened, what we can learn from it, how to detect social engineering attempts, and the importance of security awareness training.
Twitter’s Social Engineering Attack: How it Happened
According to a blog post released by Twitter, the hack took place when bad actors “manipulated a small number of employees and used their credentials to access Twitter’s internal systems.” After gaining access to privileged systems, the attackers attempted to hack 130 user accounts.
To hack the accounts, the assailants attempted to reset the passwords of their intended victims with Twitter’s backend systems, and then use the new password to sign in. The cyber criminals successfully breached 45 accounts and released posts encouraging the victim’s followers to send bitcoin to a BTC address under the false premise that the senders’ payment would be matched and returned.
The cybercrime was successful because the hackers put themselves in a position where they could exploit the trust between the account holders and their fans. With many of the bogus tweets seemingly coming from individuals known for their philanthropy, many Twitter users unfortunately took the posts at face value.
The Social Engineering Twitter Hack: Key Lessons Learned
While the incident has shaken public confidence in social media, it's important to stay optimistic. The attack offers modern companies a valuable learning opportunity about the realities of social engineering threats.
Here are some key takeaways from the Twitter hack:
1. Social engineering can victimize anyone at any organization
The Twitter hack proved that even tech giants aren't immune to social engineering scams. An attacker that conducts in-depth research about a victim can easily fool them with a convincing story and phony credentials. Being prepared to defend against the threat is vital, whether you're part of an small business or a multinational organization.
2. Social engineering schemes are targeting more privileged users
The access employees have to internal systems makes them a major target for cyber criminals. Acquiring login credentials from one user through a phishing email could grant access to privileged IT resources that would otherwise be inaccessible to the attacker, making a data breach considerably more devastating.
3. Two-factor authentication may not be enough to protect your data
While two-factor authentication is important for securing access, it isn't sufficient alone to protect your data. If a fraudster tricks an employee into giving up information directly, then the data will still be breached. Cyber security awareness training is essential to ensure that employees know how to minimize the risk of data leaks.
4. Social media is the new frontier for successful phishing attacks
With social media ad spend expected to top $43 billion in 2020, cybercriminals will inevitably start to exploit the reach those companies have online. The larger the number of followers a company has, the greater the number of potential targets for scams. Properly manage accounts that represent your organization on social media.
5. The Twitter hack could signal a new onslaught of social engineering threats
The success of the Twitter hack will undoubtedly inspire other hackers to attempt similar social media hacks. Consequently, we can expect to see an increasing number of social media compromise scams taking place. Strong security awareness training is critical to spotting cyber threat warning signs and to keep your data safe.
How to Detect and Safeguard Against Social Engineering Threats
At its most basic level, social engineering is a manipulation technique that cybercriminals use to impersonate an individual and trick the victim into giving up confidential information, like passwords. Social engineering can happen through a range of mediums, including emails, phone calls or SMS messages.
Statistically, email is the most common medium, with 91% of all cyber attacks beginning with a phishing email to an unsuspecting victim. A typical phishing email will include attachments containing malware or links which require the victim to provide personal data such as login credentials.
If the victim hands over their information, then a cybercriminal can use it to engage in fraudulent or malicious activity.
Here’s a brief list of the most common examples of social engineering threats below:
- Vishing - Voice phishing where a hacker attempts to gather sensitive information from you through a telephone call, usually posing as an authority.
- Baiting - An online or physical social engineering threat where the victim is promised a reward if they act in a certain way.
- Pretexting - An attacker will adopt a fake identity and approach the victim with a story to try and get them to provide sensitive information.
- Water-holing - A social engineering threat that infects a legitimate website and its visitors with malware.
- Malware - Victims are tricked into believing that they have malware installed on their computer and encouraged to pay to have it removed.
Against all these attack types, your number one weapon is awareness. Being aware not only of the warning signs but also of which best practices to adopt to limit the exposure of your information is critical to staying safe online.
There are many things you can do to defend against social engineering attempts and reduce the chance of a social network breach.
1. Invest in your people
Investing time and money to educate your people about current cyber threats will give them the tools needed to mitigate these risks effectively. Tools such as phishing simulations, ransomware simulations are great resources you can use to get a snapshot of your exposure and determine what to do to increase security awareness in your organization.
2. Educate your team
Educating your users about social engineering attacks will help them spot the signs if they become the target of a cybercriminal. Giving users real-world examples of social engineering scams (like the Twitter hack!) also goes a long way toward helping to detect attempts in real-time.
3. Read The Human Fix to Human Risk
Taking the time to read The Human Fix to Human Risk will provide you with step-by-step guidance on developing an effective security awareness program. The program teaches about proactive awareness to give users the knowledge necessary to detect threats independently.
There are several things you must communicate to your users on what they can do to defend against social engineering attempts:
1. Never respond with sensitive information
Any message that requests you to provide personal information like login credentials is a scam. Many organizations, like banks, will explicitly state that they never ask for sensitive information via email. Whenever you see an email that's requesting your password, you can safely write it off as a scam.
2. Be wary of downloads links and
Always be skeptical of emails with download links and attachments from addresses that you don't know. Downloads links and attachments are two of the most common entry points for malicious software, so avoid downloading anything unless you're certain it's from a legitimate sender.
3. Verify who you are talking to
The reality of online communication and the prevalence of email hacking means you can't always be sure whether the sender is legitimate. If you receive an email from a colleague requesting information that could leave your systems vulnerable, speak to them in person or call them to double-check if they sent the email in question.
Recap: Protect Your Systems and Your Employees
The Twitter hack showed that even the most security-conscious companies can fall victim to a data breach. The next generation of cyber security threats aren't limited to malware exploits but rely increasingly on manipulating internal employees to gain access to information. Addressing the threat isn't as simple as an antivirus but requires consistent cyber security awareness training.
Implementing the best practices outlined above will enable you to work productively and safely without having your information hijacked by an unscrupulous actor. Equipping employees with the knowledge they need to detect social engineering attempts will substantially increase your chances of keeping your data safe.
Find Out Which Employees are Prone to Phishing Attacks
For actionable insight into how your organization’s phishing click rate stacks up against your peers, sign up for free for the 2020 edition of the Gone Phishing Tournament™!