A scam post made from tech icon Bill Gates’ Twitter account, which was one of many breached accounts used to tweet similar messages. We’ve blacked out the bitcoin address.
ZDNet/Natalie Gagliordi

Twitter has confirmed that the breach of several high-profile accounts that occurred on July 15 was caused by a phone spear phishing attack that targeted a small number of employees.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic)

In an update posted on Thursday, Twitter said that the attackers were able to gain access to the company’s internal network as well as to employee credentials, which they used to sign into certain internal support and account management tools. Not all of the employees initially targeted had permission to use the account tools, Twitter added. But the attackers managed to use those credentials to access specific internal systems and thus obtain information about Twitter’s account processes. From there, the attackers were able to target other employees who had access to the account tools.

Using the credentials of the affected employees, the attackers managed to compromise 130 different Twitter accounts, including those of Bill Gates, Jeff Bezos, Elon Musk, Joe Biden, and Barack Obama, according to Twitter.

The attackers tweeted from 45 of these accounts, accessed the direct mail inboxes of 36 accounts, and downloaded Twitter data from seven breached accounts. However, Twitter didn’t specify the names of all the accounts that were affected.

Spear phishing refers to a type of phishing attack in which criminals email specific individuals with the goal of gaining their account credentials or other sensitive information. Twitter didn’t explain what it meant by a “phone spear phishing attack.” This could mean that the attackers actually called certain employees by phone rather than using email to find out their credentials, or it could mean targeted employees received a message by phone or email convincing them to call a certain person masquerading as a legitimate Twitter administrator.

When asked for further details by TechRepublic, a Twitter spokesperson said the company had nothing to share outside of the blog post. But two security experts offered their thoughts on phone spear phishing.

“A phone phishing attack would be similar [to email spear phishing], but instead the targets are telephoned and the criminal would attempt to elicit information, in this case, probably their account credentials,” Mike McLellan, senior security researcher for Secureworks, told TechRepublic. “They might, for example, pretend to be from IT support or some other role with perceived authority, to persuade the user that it’s OK to divulge information to them. Phishing attempts by phone are less common, because they are far more resource intensive than email and is perhaps indicative of the fact that Twitter was very specifically targeted in this case.”

As with many types of cyber crimes, spear phishing, whether by email or phone, begins with research on the part of the attacker.

“Phone spear phishing starts with research by cybercriminals utilizing Open Source Intelligence techniques to learn about people and roles in the organization, all from online information,” said James McQuiggan, security awareness advocate with KnowBe4. “They target midlevel managers or other employees who feel no one knows. Over time, a rapport is established until the cybercriminal feels comfortable taking advantage of the target.”

Whatever specific spear phishing method was used in the breach, clearly the attackers relied on a combination of technical skills and social engineering know-how to be able to convince employees into sharing their account credentials. Of course, that’s the M.O. for many phishing attacks and other types of malicious campaigns.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.” Twitter acknowledged. “This was a striking reminder of how important each person on our team is in protecting our service.”

Other than training employees through phishing simulations and similar methods, trying to correct human behavior is always challenging. That’s why socially engineered attacks are often successful.

“This incident demonstrates that social engineering is still a common method for attackers to gain access to internal systems,” Ray Kelly, principal security engineer at WhiteHat Security, told TechRepublic. “The human is often times the weakest link in any security chain. Proper employee training and employing services that test human susceptibility to social engineering attacks such as email spear phishing, phone calls, and in-person attacks can be invaluable to help prevent the employee from being the security gap in any organization.”

Still, the attack begs the question of why Twitter didn’t have tighter security in place to better protect its account and management tools.

“Within any organization, it’s essential to have a layered security structure to access the crown jewels or sensitive systems that are critical to the organization,” McQuiggan said. “Restricted accounts, multifactor authentication (MFA), limiting system access, and periodic reviews can significantly reduce the risk of unauthorized access and exposure.”

In its update, Twitter explained that it uses its account tools to help with different support issues, to review content, and to respond to reports. The company said that access to these tools is strictly limited and given only for business reasons. Though these tools and the associated processes are always being updated, Twitter said it’s looking into how to make them more sophisticated.

“We’re always investing in increased security protocols, techniques and mechanisms—it’s how we work to stay ahead of threats as they evolve,” Twitter said. “Going forward, we’re accelerating several of our preexisting security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing companywide phishing exercises throughout the year.”

By compromising so many high-profile accounts, the incident was particularly alarming because so many people now rely on Twitter for news and information. A tweet allegedly from a president or other politician or a prominent CEO can have a profound and immediate effect, potentially impacting stock markets, elections, and other elements critical to society.

What does Twitter need to do to prevent another such incident in the future?

“It may come down to a system where access to the critical systems will require the MFA of two different people,” McQuiggan said. “In banks, a vault requires two people to open it, as each person has two of the four numbers needed to open it. They cannot share their numbers and must protect them. A similar concept could be the need to have two people authenticate to perform the most sensitive or critical actions within an organization.”

This story has been updated with additional comments.