Three people were charged for their alleged roles in what the Department of Justice has called an attack on “one of the world’s most prolific social media platforms.” Twitter confirmed hackers successfully manipulated its employees through phone spear-phishing, a type of social engineering, targeting the platform’s users and internal systems to take control of many highly visible, verified accounts.
The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.
— Twitter Support (@TwitterSupport) July 31, 2020
According to Twitter, the attackers used phone spear-phishing, a personalized attack that tricks someone into thinking they know an attacker, to obtain access to networks and specific information. They were then able to learn more about Twitter’s processes and internal systems, using employee login credentials to access account support tools, target 130 different Twitter accounts and tweet from 45 of those accounts. Modern social engineering techniques like phone spear-phishing are often the easiest way to breach a perimeter and gain access to your most crucial assets.
Social Engineering and Phishing
Humans can be the strongest line of defense within any organization, but they can also be the weakest link. “It doesn’t take much to make a phishing email or phone call seem realistic,” said Petar Besalev, SVP of Cybersecurity and Privacy Services at A-LIGN, after learning of the security incident. “Social engineering doesn’t necessarily mean an attacker will force their way in – they’ll create a way in.”
Attackers will often appeal to stereotypes when carrying out a social engineering attack. “A male threat actor may say they are a technology expert trying to fix your connection, whereas a female threat actor may portray themselves as non-tech-savvy and ask for help,” Petar said. Once someone clicks a malicious link and provides their credentials, a hacker has what they need to carry out an attack. “If you feel like you shouldn’t be receiving this request, you need to verify if it’s coming from a legitimate source,” Petar said, warning that social engineering attacks are becoming more sophisticated.
He has four recommendations for organizations in the wake of Twitter’s social engineering attack:
- Organizations should have a strong security awareness program and require employees to complete cybersecurity awareness training to mitigate attacks like phishing.
- Test whether your employees are able to identify and respond to potential social engineering or phishing attacks by simulating the scenarios through penetration testing.
- Limit employee access to confidential and sensitive information and keep important data on a need-to-know basis related to employees’ responsibilities.
- Have a plan in place to escalate and quickly address employees’ reported social engineering attacks to ensure your organization’s information remains uncompromised.
Secure Your Organization
Social engineering attacks are traditionally conducted through emails or phone calls, sent by attackers posing as a legitimate source. Their goal is a simple but malicious one – to trick individuals into sharing sensitive information. Our penetration testers can emulate these techniques by testing your employees’ ability to identify and report malicious communication through tailored scenarios, enabling you to demonstrate trust to your stakeholders and confidently mitigate cybersecurity risks.
Interested in a proactive approach to test and protect your organization from social engineering? Contact our experts today by emailing [email protected] or calling 888-702-5446.