With files from Pragya Sehgal
The U.S. Department of Justice has charged three men in the Twitter hack and bitcoin scam of two weeks ago, with officials in Florida declaring 17-year-old Florida juvenile, Graham Ivan Clark, as the “mastermind” of the hack.
With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile. Under the Federal Juvenile Delinquency Act, the Justice Department has referred Clark to the State Attorney for the 13th Judicial District in Tampa, Florida.
The other two suspects include a 22-year-old Florida man Nima Fazeli, and a 19-year-old British man Mason Sheppard.
According to court documents seen by ZDNet, the FBI was able to track the identities of the accused through posts made on the Discord instant messaging service and a hackers forum called OGUsers before the hack. The trail led to email accounts, IP addresses, and even private messages.
“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” U.S. Attorney David Anderson for the Northern District of California said in a statement. “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you.”
The scam saw hacked accounts of former president Brack Obama, current Democratic leadership candidate Joe Biden and a raft of celebrities sending out tweets promising to double the money people send to a bitcoin wallet.
It still isn’t clear exactly how the accounts were hacked. Twitter offered more detail on Thursday, stating that it was a phone spear-phishing attack. A “small number of employees” fell for a phone spear-phishing attack. “A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.
“This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM (direct messages) in the inbox of 36, and downloading the Twitter Data of seven.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
The brief description led U.K.-based cybersecurity reporter Graham Cluley to suspect that the call or calls to Twitter staff were made to appear to come from Twitter’s support team, perhaps leaving a voicemail and asking them to call a number. If they did so a phoney support team person might have convinced the staffer to divulge their username and password.
“Since the attack, we’ve significantly limited access to our internal tools and systems to ensure ongoing account security while we complete our investigation,” the Twitter statement added. “As a result, some features (namely, accessing the Your Twitter Data download feature) and processes have been impacted. We will be slower to respond to account support needs, reported Tweets, and applications to our developer platform. We’re sorry for any delays this causes, but we believe it’s a necessary precaution as we make durable changes to our processes and tooling as a result of this incident. We will gradually resume our normal response times when we’re confident it’s safe to do so.”
Phone scams attempting to trick consumers into handing over their credentials are common. Automated voice mail scams pretending to be from the Canadian or U.S. tax departments, credit card companies and Windows support are just a few of them. ITWC contributing reporter Howard Solomon got one from someone claiming to be from the non-existent “Cybercrime Control Board of Canada”.
Some voicemail scams count on call displays showing spoofed numbers of real officials or companies.
The Twitter phone scam sounds like many SIM card swap cons sprung on support staff cellphone companies in attempts to get control of smartphones of business executives. The attacker either phones, or appears in person with a fake ID, claiming to be the owner of a lost cellphone and wanting to transfer the SIM card to a new phone. The criminal may know enough personal information of the target (birth date, social insurance number, mother’s maiden name) to convince that the staffer the request is legit. If successful, the crook may be able to access the victim’s email from the new phone, and, using that, perhaps access to the enterprise network.
The Canadian Anti-Fraud Centre details a number of phone scams. Among them, a scammer calls a franchise business and claims to be from the head office. The employee who answers the phone is told there are problems with one of the financial products offered, such as gift cards or money transfer services. The employee then selects some prepaid cards, activate them, and provide them to the scammer. The scammer may also ask them to conduct a series of money transfers. Thorough awareness training and detailed policy procedures are needed to avoid staff being victimized by phone scams.