On Wednesday, Twitter suffered a major hacking fiasco in which the accounts of several prominent people and companies were exploited to promote a cryptocurrency scam. Impersonating the accounts of such figures as Bill Gates, Elon Musk, Jeff Bezos, Joe Biden, and Barack Obama and such companies as Apple, Bitcoin, and CoinDesk, the goal was to steal bitcoins from unsuspecting users by promising them double the amount they sent to the bitcoin address listed in the malicious tweet.
SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic)
Most of the hacked accounts have since been restored to the rightful owners, the scam posts have been removed, and the website that was linked in the tweets has been taken down. But the bitcoin address listed in most of the tweets scored more than $100,000 from people who fell for the scam.
The episode calls into question the security of social networks, especially ones such as Twitter, which many people now rely on as a source of news and information from politicians and other public figures. In this case, the hackers were reportedly able to launch the attack by compromising the accounts of one or more Twitter employees, which points to a lack of internal security and training.
But the incident also shines a light on the way cybercriminals abuse the trust many people have in social media as well as their willingness to respond to any kind of get-rich-quick scam they find, especially if it’s from a supposedly trusted source.
“People are still a main focus for threat actors, even in scenarios where a system is possibly compromised,” Loïc Guézo, senior director of cybersecurity strategy, EMEA at Proofpoint, said. “The social engineering featured in this scam demonstrates that the attackers targeted Twitter employees with access to internal tools and preyed on the trust associated with verified accounts and the attraction of doubling your money. To make the scam seem more authentic, they even set a time limit and an easy payment option to drive a swift response. Threat actors understand human nature and are unrelentingly focused on taking advantage of our society’s trust in digital channels.”
The onus is on companies like Twitter to tighten their security and better educate their employees. But social media users also need to learn how to exercise better control and judgement before so readily accepting any tempting offer they see online.
In the meantime, though, if this type of attack was able to breach verified accounts, what can regular Twitter users do to protect their own accounts from being hacked? Let’s look at the security controls offered by Twitter.
Review your Twitter settings
You can review and tighten your security either through the Twitter website or through the mobile app. On the website, click More and then select Settings and privacy. In the app, tap your profile picture and then tap Settings and privacy. The next steps are the same for the site and the app.
Select Account and then Password. If you’re using a simple or weak password, here’s the place to change it. Type your current password. Enter and then re-enter a new password, striving to make it stronger but still memorable and manageable.
Next, select Security. This setting offers two options: Two-factor authentication (2FA) and password reset protection. To enable two-factor authentication, select it. Choose your preferred method—text message, authentication app, or physical security key. A text or authentication app will work with both the Twitter website and the Twitter app. A security key will work only with the website on a PC.
You can also set a backup code to use to sign into Twitter if your two-factor authentication method is not available. Further, you can create a one-time password to use as a temporary method with a third-party website or app that needs access to Twitter.
Two-factor authentication is still a recommended security method. But 2FA alone may not have helped in this specific attack, according to Roger Grimes, data-driven defense evangelist for KnowBe4.
“You will hear many tout multifactor authentication as the way to prevent the type of social engineering attack that Twitter suffered yesterday,” said Grimes. “MFA will not work to stop these types of attacks. Although I could be wrong, more than likely Twitter’s compromised employees were already using MFA, proving that it isn’t a perfect protection. Second, although many experts are also saying the compromised VIPs should have been using MFA, many likely already were, and it would not have mattered in this case since the internal Twitter system was accessed.”
You should combine 2FA with the other available security methods offered by sites like Twitter. To continue, go to the Privacy and safety screen under Settings and privacy. Depending on how much time and effort you’re able to spend managing your Twitter account, there are several steps you can take here.
You can opt to protect your tweets so only people who follow you can see them. In this case, though, you’d have to approve every new follower, which can be time-consuming. You can also turn off photo tagging so other people can’t identify you by your photo in a tweet.
Next, you can turn off the ability of anyone to send you a direct message and control read receipts for such messages. If you don’t watch live video via Twitter’s Periscope feature, you can turn off the switch for Connect to Periscope.
Select the option for Discoverability and contacts and turn off the ability to let others find you by email or by phone. In the Safety section, you can view and manage any accounts that have been muted or blocked. In the Location section, turn off Precise location to prevent Twitter from tracking your location. Finally, the section for Personalization and data allows you to control personalized ads and other content for which Twitter collects information about you.
Further, high-profile Twitter accounts may need to find a better form of protection than just being verified. That’s especially true for business-oriented accounts that wield a great deal of influence.
“Social media accounts are a critical communication channel for many prominent business leaders,” Jim Zuffoletti, CEO and co-founder of SafeGuard Cyber, said. “The distinction between ‘personal’ and ‘business’ is antiquated and frankly false, given the consequences to stock price, valuations, etc. As such, executive social accounts should be secured as any channel of business operations.”
Whether or not these security changes would have prevented the breach carried out on Wednesday, the goal is to protect and secure yourself as best as possible with the available tools. Now, it’s up to Twitter to firm up its own security to stop another such attack from occurring.
“At this point, a thorough, detailed investigation, made public in the form of a report, would be essential for regaining user trust,” Kaspersky’s director of GReAT, Costin Raiu, said. “An explanation of the breach, step by step, what tricks the attackers used and the vulnerabilities (if any) they exploited, are needed. Last but not least, what steps have been taken in order to secure the platform against future abuses would be essential to regain user confidence. I believe that Twitter will work hard to close any security gaps that might have been used, making similar attacks really hard, if not impossible, to execute in the future.”