Twitter Cypto Hack (Ongoing right now)

[straight_stewie]

9 hours ago, ESPImperium said:

Unsure what to think, its probably a highly sophisticated hack. 

I'm a little late to the party, but I've been reading about this all day.

 

I know it's the verge, but the article contains a pretty neat rundown of all of the "facts", which I'd taken the time to fact check from other sources. You should do the same, don't ever trust one outlet, and don't ever trust one guy on a forum.

https://www.theverge.com/2020/7/15/21326656/twitter-hack-explanation-bitcoin-accounts-employee-tools

It seems that this was a targeted and sophisticated social engineering attack which involved gaining access to Twitter internal administration tooling. As of the time of this writing I have found no credible reports as to the identity of the actual perpetrators, or their goals.

Opinion:

I don't think that this was a legitimate Nigerian prince scam. Nigerian prince scams need widespread nets that try to catch weakminded and easily fooled people. For these reasons, they also rely on making it very easy to send them money or give them access to accounts. Sending bitcoin might seem trivial to most on this forum, but to a person who is going to fall for a money-doubling scam, well, not to be a dick, but sometimes realism hurts.

I feel like there may be a point to this attack. Those points could range anywhere from US politics to "hey, the average person needs to stop putting their head in the sand and start acting responsible for their own online safety", to "that was fun".

I would not count out the idea that this attack was meant to gain support for the side of the argument that says that tech companies should not be 'arbiters of truth' (as Mark Zuckerberg eloquently put it). I wouldn't even count out the notion that the attack was carried out by a group with support from people in power in the US government, or even some part of the US government itself.

On the other hand, it could be an espionage attack. Twitter says that the attackers "may have had access to personal messages". For that matter, it could be a pr0n grab, if they had access to personal messages throughout the whole network, they might find things popular people wish they hadn't. Who knows how bad some people are at OpSec?

 

This is one to keep your ears to the ground on, it could develop into something very interesting.

[X-System]

9 hours ago, realpetertdm said:

PSA: you should enable two-factor authentication if you haven't

 

My account on  another forum website just got hacked, I'm completely locked out of it. If I had 2FA on then my account wouldn't have been hacked even if the attacker had my password and everything.

 

2FA can literally be a lifesaver and it can prevent a lot of incidents like this from happening

 

Twitter has a 2FA option, so please use it

Even, 2FA can to be hacked by a malware...

 

I remember this news : https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/

[wanderingfool2]

 

18 hours ago, gloop said:

I don't mean to be rude, but how dumb do you have to be to fall for something like this?

 

Well, out of the millions who likely saw the tweets very few people fell for it.  With that said, the Mr. Beast post I could see people falling for.  After all, that is something I could see him doing (not worded as such, but the concept of that).  So Mr. Beast's post is one that I could see people falling for.

 

9 hours ago, straight_stewie said:

Sending bitcoin might seem trivial to most on this forum, but to a person who is going to fall for a money-doubling scam, well, not to be a dick, but sometimes realism hurts.

That was exactly my thought.  People who knew how to send bit-coins would likely also be the people who know better.

 

9 hours ago, straight_stewie said:

On the other hand, it could be an espionage attack. Twitter says that the attackers "may have had access to personal messages". For that matter, it could be a pr0n grab, if they had access to personal messages throughout the whole network, they might find things popular people wish they hadn't. Who knows how bad some people are at OpSec?

My feelings are mixed about what this attack was.  This attack really seemed too simple to just be a bitcoin scam, it might just have been the smokescreen to get access to an account.  With that said, I wonder if it could have been poorly executed because after they realized what they could do they also realized their window to utilize it was closing. 

 

I am also wondering whether this sort of thing has been caused by some of the work from home initiatives.  In general allowing employees to work from home, in my opinion is just asking for breaches to happen, since the company no longer has full control of the laptop/home network.  I really hope that Twitter releases a full report on what happened, and what actions they are taking to prevent this, as this is a huge issue.  With that said, I am still wondering if someone found a hole in the admin's reset ability (that involved 2FA).  Who knows though, all speculation at this point.

 

Imagine if they had taken control of Trump's account and announced they were at war with China *This is not intended as any political aspect*.  Or announcing war, and the POTUS account announce an attack on an American city.

[jagdtigger]

Welp, if someone is dumb enough to fall for this (not to mention the use of bitcoin).......

[redf5]

19 hours ago, eNV25 said:

Lotta money

 

19 hours ago, BobVonBob said:

As of right now it appears about 100,000 USD worth of bitcoin has been sent to that account. Ouch.

 

 

But also this.

 

 

19 hours ago, Pascal... said:

Holy Sh*t, apparentally that bad guy made a ton of cash in a few short minutes:

 

 

A lot of it could be the hacker sending BTC to himself, to make the whole thing seem more credible. Maybe even sending the 'doubled' BTC back to some of the accounts.

[straight_stewie]

56 minutes ago, wanderingfool2 said:

With that said, I wonder if it could have been poorly executed because after they realized what they could do they also realized their window to utilize it was closing. 

I suspect that the bitcoin scam was a distraction. Something the attackers did only after they accomplished whatever their real goals were.

Piecing together Twitters piecemeal admissions, the tool they believe was compromised to run this attack would have given the attackers access to all of any users data. Given that, it just doesn't make any sense that someone would take this much risk just to run a money doubling scam. There is definitely something else going on here.

 

Who knows what the real goal was though. It could be anything from some guy having fun, to pointing out security flaws, to a political hit, to someone trying to cover up some bitcoin transaction(s). Right this minute there is just no telling what the real intent of the attack was.

 

The only new news I could find at the time of this reply is that some congress people are starting to ask why Twitter hasn't implemented end-to-end encryption for direct messages. Apparently Jack Dorsey told a select committee in 2018 that he would do so.

While that isn't indicative of the goal of the attackers, it does tell us that congress people have made some, OpSec mistakes, let's call them. It also tells us that some congress people are hypocrites, but we already knew that. (yelling at Twitter for not implementing end-to-end encryption, while simultaneously supported the EARNit and Lawful Access to Encrypted Data acts is just, well, a little transparent)

[RejZoR]

People who think strangers online will just double their money in any currency sent to them deserved to be robbed. You people are AAA idiots.

[Kisai]

1 hour ago, RejZoR said:

People who think strangers online will just double their money in any currency sent to them deserved to be robbed. You people are AAA idiots.

Adults were once children, and some still are.

 

There's multiple stories about confidence scams like this. Like people selling jewelry on the street are 100% scamming you. People selling high-brand goods on the street? It's counterfeit. Sometimes people are stupid, but sometimes people only care about the brand name (lots of asian women run around carrying counterfeit LVMH goods because their friends all do.)

 

Like pretty much everything involved with bitcoin/crypto-currency is a scam. People who who invest in it, are being scammed, people who buy ASIC's and GPU's to mine it, are being scammed (do you really think your hardware and energy costs are worth the investment?) and of course there has to be someone willing to trade it for real money, because people won't accept bitcoin directly because of it's volatile value, and until you can pay taxes in bitcoin, bitcoin has no real value.

[BuckGup]

22 hours ago, Levent said:

Since we dont have BTC-E anymore I wonder how they are going to launder that money?

There are tons of cleaning services out there 

[Touch My Hamm]

Whats sad is that the scam most likely made alot of money from people looking up how to send bitcoin.....

[Levent]

2 hours ago, BuckGup said:

There are tons of cleaning services out there 

Issue is not that, its just any and all transactions from that wallet can be monitored and its end point can be found. Of course this assumes owner of that wallet is dumb enough to use proper brokers/traders to cash in (which is what BTCE did with Mt.Gox' stolen coins and got busted for it) either way those coins are pretty much useless unless dealt with very very carefully.

[ouroesa]

16 hours ago, straight_stewie said:

I'm a little late to the party, but I've been reading about this all day.

 

I know it's the verge, but the article contains a pretty neat rundown of all of the "facts", which I'd taken the time to fact check from other sources. You should do the same, don't ever trust one outlet, and don't ever trust one guy on a forum.

https://www.theverge.com/2020/7/15/21326656/twitter-hack-explanation-bitcoin-accounts-employee-tools

It seems that this was a targeted and sophisticated social engineering attack which involved gaining access to Twitter internal administration tooling. As of the time of this writing I have found no credible reports as to the identity of the actual perpetrators, or their goals.

Opinion:

I don't think that this was a legitimate Nigerian prince scam. Nigerian prince scams need widespread nets that try to catch weakminded and easily fooled people. For these reasons, they also rely on making it very easy to send them money or give them access to accounts. Sending bitcoin might seem trivial to most on this forum, but to a person who is going to fall for a money-doubling scam, well, not to be a dick, but sometimes realism hurts.

I feel like there may be a point to this attack. Those points could range anywhere from US politics to "hey, the average person needs to stop putting their head in the sand and start acting responsible for their own online safety", to "that was fun".

I would not count out the idea that this attack was meant to gain support for the side of the argument that says that tech companies should not be 'arbiters of truth' (as Mark Zuckerberg eloquently put it). I wouldn't even count out the notion that the attack was carried out by a group with support from people in power in the US government, or even some part of the US government itself.

On the other hand, it could be an espionage attack. Twitter says that the attackers "may have had access to personal messages". For that matter, it could be a pr0n grab, if they had access to personal messages throughout the whole network, they might find things popular people wish they hadn't. Who knows how bad some people are at OpSec?

 

This is one to keep your ears to the ground on, it could develop into something very interesting.

Or, this may sound crazy, they just wanted to steal some sweet moola.

[straight_stewie]

2 hours ago, ouroesa said:

Or, this may sound crazy, they just wanted to steal some sweet moola.

No they didn't. Running a money doubling scam in this way is extremely ineffective.

It's also a very high risk operation to take over high profile Twitter accounts.

It was also likely difficult for them to extricate the tooling used to run the operation.

The risk/reward and reward/effort just doesn't add up for that to be all there is to it. It makes no sense that this was just a money doubling scam.

[BobVonBob]

41 minutes ago, straight_stewie said:

No they didn't. Running a money doubling scam in this way is extremely ineffective.

It's also a very high risk operation to take over high profile Twitter accounts.

It was also likely difficult for them to extricate the tooling used to run the operation.

The risk/reward and reward/effort just doesn't add up for that to be all there is to it. It makes no sense that this was just a money doubling scam.

Some people don't have any loftier ambitions than making money. I'm not saying nothing else happened, but until something else actually comes out of it anything more is wild speculation.

 

My biggest concern is why did Twitter have admin tools that could post anything on behalf of anyone on the platform in the first place? Perhaps those tools had direct database access? Dangerous things to have lying around, even among trusted employees like site admins. If you have a backdoor for anyone you have a backdoor for everyone.

[straight_stewie]

39 minutes ago, BobVonBob said:

why did Twitter have admin tools that could post anything on behalf of anyone on the platform in the first place? Perhaps those tools had direct database access?

The tool was more like an account recovery and account reset tool, or that's what Twitter is saying anyway.

As in: "I've forgotten my password, can you reset it and email me a link to get back in"?

If the tool also includes functionality to change someones email address then, well, there you go: change the recovery address to an email address under your control, then point and shoot.

Basically every site with a login has this functionality somewhere. I can't knock them for offering account recovery options. I can, however, knock them for whatever they did or didn't do that allowed the tool to fall into the hands of malicious actors.

[Kisai]

37 minutes ago, straight_stewie said:

The tool was more like an account recovery and account reset tool, or that's what Twitter is saying anyway.

As in: "I've forgotten my password, can you reset it and email me a link to get back in"?

If the tool also includes functionality to change someones email address then, well, there you go: change the recovery address to an email address under your control, then point and shoot.

Basically every site with a login has this functionality somewhere. I can't knock them for offering account recovery options. I can, however, knock them for whatever they did or didn't do that allowed the tool to fall into the hands of malicious actors.

At (auction site) this was known as "piggybacking", basically ANY employee can login "as" any other (auction site) user. It's a legitimate way to verify a problem a user has without having them hand over their credentials every time.

 

The catch is, that there's not very much (or any?) tracking who does it. If you're a legitimate employee, you're probably supposed to write the log yourself (which is what (auction site) did) and the only stuff that comes back and spanks you as an employee is when you do something that has immediate financial repercussions to the user, like suspending them.

 

Like that's quite literately why I said "a) an inside job" back when it was still going, because that seemed far more likely given how I've seen this happen at (wireless co) and (auction co.) Where staff get nosy and look up celebrities or presidents accounts.

 

The fastest way to get fired in the United States is to look up a sitting president's account.

[BobVonBob]

3 hours ago, straight_stewie said:

The tool was more like an account recovery and account reset tool, or that's what Twitter is saying anyway.

As in: "I've forgotten my password, can you reset it and email me a link to get back in"?

If the tool also includes functionality to change someones email address then, well, there you go: change the recovery address to an email address under your control, then point and shoot.

Basically every site with a login has this functionality somewhere. I can't knock them for offering account recovery options. I can, however, knock them for whatever they did or didn't do that allowed the tool to fall into the hands of malicious actors.

I didn't even think about that. I'm honestly surprised things like this haven't happened more often to prominent accounts just from disgruntled employees.

[wanderingfool2]

6 hours ago, straight_stewie said:

No they didn't. Running a money doubling scam in this way is extremely ineffective.

It's also a very high risk operation to take over high profile Twitter accounts.

It was also likely difficult for them to extricate the tooling used to run the operation.

The risk/reward and reward/effort just doesn't add up for that to be all there is to it. It makes no sense that this was just a money doubling scam.

Well, if it was a more novice hacker who just started and discovered a vulnerability (it might actually be feasable that they didn't think things through and thought it would be a good idea to try the bitcoin scam)...I know it's less likely, but still a possibility.  It is likely a smoke-screen though.

 

If money was the goal, they could have done stock market manipulation and gotten away with it a lot easier (and depending how thought out it would have been, made millions)

[Trik'Stari]

My reaction to watching twitter burn:

[Shreyas1]

On 7/16/2020 at 9:35 AM, wanderingfool2 said:

Imagine if they had taken control of Trump's account and announced they were at war with China *This is not intended as any political aspect*.  Or announcing war, and the POTUS account announce an attack on an American city.

That's extremely scary. Especially considering this was probably done by some neck beard guy in a basement, but imagine what a group with actual malicious intent or a forign nation could do. Twitter knows who they have on their platform, they should be VERY tight on security. Or if that's not possible, people who use twitter and have such an influence should probably consider switching to another form of distributing info.

[wall03]

On 7/15/2020 at 5:30 PM, valdyrgramr said:

Apple can dodge a tax yet they can't dodge a hack.

https://twitter.com/Wendys/status/1283517028524064774?cxt=HHwWjIC8xfz7-88jAAAA