Tampa teen accused as "mastermind" of Twitter Attack

[straight_stewie]

9 hours ago, dogboy66 said:

Investigation found that he reaped more than $100,000 in Bitcoin in a day.

I can't tell if they have actual evidence or not. This is just circumanstantial, if still appearing damning.

[HM-2]

6 hours ago, Trik'Stari said:

Should the baseless removal of verification not be considered identity theft?

Social media accounts aren't really an "identity", though.

 

3 hours ago, SpudMuffin said:

Either way, it's not "hey come work for us" worthy nor is it "script kiddie" worthy. Once the kid is out of jail he'd probably get a job working at a research firm or something.

I'm not sure I'd go even this far. Unless you're using actual compromised legitimate accounts-  common these days with sophisticated criminals and nation-state groups- spear phishing/whaling themselves require zero technical knowledge.

 

They're dependent on cultivating an understand of the target and usually lean heavily on OSINT and social media reconnaissance skills but don't really require any thing else. You only need to look at the huge rewards reaped by BEC/payment redirection fraudsters (sometimes tens of millions of pounds per transaction) to see just how effective the approach can be, though you'd expect a higher degree of operational security amongst Twitter staffers than most business HR and payroll teams.

[Master Disaster]

10 hours ago, Kisai said:

That's just fictitious nonsense TV shows and film's pull.

Except for when it isn't. Frank Abagnale served less than 5 years of his 12 year prison sentence then went on to be one of the FBIs leading money laundering experts. To this day he still works as a consultant to the FBI and other federal agencies plus he also does some teaching of new recruits.

[Guest]

Oh wow I can't wait to hear cr1tikal's reaction to this one

[Trik'Stari]

 

5 hours ago, HM-2 said:

Social media accounts aren't really an "identity", though.

 

 

That's not what these law enforcement agencies are saying. These teens "stole the identities of celebrities and used them to defraud thousands of people".

 

Which is true, that is what happened. But based on that legal precedent, a verified twitter account, is an identity, at least once the kids are convicted.

[Kisai]

12 hours ago, Master Disaster said:

Except for when it isn't. Frank Abagnale served less than 5 years of his 12 year prison sentence then went on to be one of the FBIs leading money laundering experts. To this day he still works as a consultant to the FBI and other federal agencies plus he also does some teaching of new recruits.

He wasn't a hacker, he was just a very charismatic social-engineer, and also the the reason why checks are printed with magnetic ink now. That's like saying this teen charmed his way into the Twitter HQ and impersonated a programmer, yet did no programming. That's basically how Frank worked. Quite frankly he's lucky he didn't crash a plane full of people.

[Master Disaster]

56 minutes ago, Kisai said:

He wasn't a hacker, he was just a very charismatic social-engineer, and also the the reason why checks are printed with magnetic ink now. That's like saying this teen charmed his way into the Twitter HQ and impersonated a programmer, yet did no programming. That's basically how Frank worked. Quite frankly he's lucky he didn't crash a plane full of people.

It's nothing of the sort. What its like saying is real people actually have ended up being employed by government agencies after committing crimes so its not just fiction made up for TV & Movies.

[Kisai]

17 minutes ago, Master Disaster said:

It's nothing of the sort. What its like saying is real people actually have ended up being employed by government agencies after committing crimes so its not just fiction made up for TV & Movies.

Frank did no hacking, what he did only would have worked in the time he was doing those crimes, owing to the lack of surveillance, computers, and quite honestly, people not paying attention. He did nothing nobody else couldn't do, he was just very good at social engineering and took advantage of people not asking questions. He was only caught because someone he scammed before recognized him.

 

A modern day hacker does not get rewarded. Social engineering is much more complex, and due to the sheer amount of asinine  incompetence by companies willing to outsource their customer support to countries with incentive to steal that information (such as India), people can no longer trust text messages, email, phone calls, and postal mail. Just how do you trust a company, when you no longer know who you are dealing with. 

 

Modern day hackers are usually just stupid kids who got ahold of hacking tools (the proverbial "script kiddie") and then use the tools in ways that the original authors either did not intend, or intentionally disavowed it's use for that case (such as LOIC) , similar tools include AutoIT/AutoHotKey, and Wireshark. Most of their attention is at disrupting things they would have a temper tantrum with.

[Sauron]

On 7/31/2020 at 8:36 PM, BlueScope819 said:

Tbh if I were the FBI I would just ask for the teen to return the money and then offer them a job at NSA.

Or not considering this was almost entirely a matter of poor security at twitter rather than this guy doing something clever.

20 hours ago, mr moose said:

I was trying to work out how a single person managed to pull of a thing so complex as this yet get caught so easy, it seemed rather suspicious to me if they had the right person or not.

It was just social engineering, anyone can do it. It just takes one person who gets lucky. Clearly it wasn't the smartest of the bunch considering they could only think of a blatant bitcoin scam.

Quote

In its statement, Twitter also revealed that some of its employees were targeted using a spear-phishing attack through a phone, misleading "certain employees and exploit human vulnerabilities to gain access to our internal systems."

https://thehackernews.com/2020/07/twitter-hacker-arrested.html?m=1

 

Look at this larper lol

[Master Disaster]

29 minutes ago, Kisai said:

Frank did no hacking, what he did only would have worked in the time he was doing those crimes, owing to the lack of surveillance, computers, and quite honestly, people not paying attention. He did nothing nobody else couldn't do, he was just very good at social engineering and took advantage of people not asking questions. He was only caught because someone he scammed before recognized him.

 

A modern day hacker does not get rewarded. Social engineering is much more complex, and due to the sheer amount of asinine  incompetence by companies willing to outsource their customer support to countries with incentive to steal that information (such as India), people can no longer trust text messages, email, phone calls, and postal mail. Just how do you trust a company, when you no longer know who you are dealing with. 

 

Modern day hackers are usually just stupid kids who got ahold of hacking tools (the proverbial "script kiddie") and then use the tools in ways that the original authors either did not intend, or intentionally disavowed it's use for that case (such as LOIC) , similar tools include AutoIT/AutoHotKey, and Wireshark. Most of their attention is at disrupting things they would have a temper tantrum with.

I realise he wasn't a hacker and I didn't say he was, to be fair neither was the guy who did this either since he also used social engineering.

 

That wasn't the point, you said people getting hired by the police after committing crimes was fiction used in TV & Movies. I used him as an example to prove that is incorrect.

[Kisai]

5 minutes ago, Master Disaster said:

I realise he wasn't a hacker and I didn't say he was, to be fair neither was the guy who did this either since he also used social engineering.

 

That wasn't the point, you said people getting hired by the police after committing crimes was fiction used in TV & Movies. I used him as an example to prove that is incorrect.

Yet that misses the point. What films and TV do is show "you can be rewarded for being a criminal hacker if you get caught", the reality is "that really never happens", there are so few people that the FBI would want, because hackers*, that get caught tend to be sociopaths in the first place. Their delusion of grandeur tends to burn them. You don't want the hacker anywhere near government secrets.

 

*by which I mean what should be better known as blackhat's.

[HM-2]

16 hours ago, Kisai said:

the reality is "that really never happens"

It's actually a lot more common than you think. Here in the UK there are entire companies, like BlueScreen IT, which basically offer rehabilitation courses for people arrested/charged/convicted of crimes Computer Misuse Act; many of those referred through these services end up working for private sector information security consultancies, law enforcement or even the intelligence agencies. Then there's people like Marcus Hutchins and Kevin Mitnick who have consulted for both private sector companies and LE after cutting their teeth as black-hats. And who could forget Evil Corp, running ops for the Russian Federal Security Service alongside payment fraud and ransomware attacks in Europe and the US.

[The1Dickens]

1 hour ago, HM-2 said:

Then there's people like... Kevin Mitnick

I've got 2 of his books on Audible, and they are very much worth the read/listen. Pretty much every stereotype we associate with "hackers" was pulled from him.

 

On Topic:

19 hours ago, Sauron said:

Look at this larper lol

Holy smokes, that kid looks like he he knows the line-up photographer on a personal level, and is waiting for their reaction as they are handed a phone. On the line is a field unit, letting him know they found his missing dog... and it's not pretty. And this kid is staring through the camera, into the eyes of the photographer...

 

Regardless of people-hacking or computer-hacking, 9 bitcoins just doesn't sound like something worth risking jail-time over. I imagine the bitcoins had further value than monetary, though. What was he planning on spending the bitcoins on?

[HM-2]

9BTC is about $100k. 

[Kisai]

5 hours ago, HM-2 said:

It's actually a lot more common than you think. Here in the UK there are entire companies, like BlueScreen IT, which basically offer rehabilitation courses for people arrested/charged/convicted of crimes Computer Misuse Act; many of those referred through these services end up working for private sector information security consultancies, law enforcement or even the intelligence agencies.

I'm so sure law enforcement is eager to hire people who would vandalize an account on social media. That is not AAA+ hacking, that is like C- hacking. Again, the problem is that film and tv shows often depict these "reformed" hackers as being just barely under duress to work with law enforcement and they go back to jail if they do anything they're not expressly permitted to.  Script kiddies aren't hackers. Social Engineering is not computer hacking. Phishing is not hacking. At best you could claim spear phishing requires some level of social cues that your average computer nerd doesn't have.

 

Quote

 

Then there's people like Marcus Hutchins and Kevin Mitnick who have consulted for both private sector companies and LE after cutting their teeth as black-hats. And who could forget Evil Corp, running ops for the Russian Federal Security Service alongside payment fraud and ransomware attacks in Europe and the US.

Again, Mitnick is the right age to take advantage of the sheer lack of security phone and computer networks had. That's about the only comparison Mitnick draws to Frank Abagnale, being in the right place and the right age for these things to work. In an era where computer security was rubbish, Kevin Mitnick took advantage of the idiots who would believe they are talking to their local IT person.

 

Getting passwords, especially to CPE is fairly easy, because as long as everyone believes you have a reason to be there, they will give it to you, or show you where it is. WiFi passwords in peoples homes, also typically give you access to their computers. It does not take a genius to do that, it takes having the right social cues to get people to just hand it over.

 

The solution in a lot of cases is not making more complicated passwords, when the passwords are on stickers on CPE, the solution is to start putting these things on removable plastic tabs like dell servers and cisco routers have so that they're out of sight and can be removed once installed. 

 

Going back to this twitter "hack", someone getting phished, or someone being the inside man is the easiest way to started posting these bitcoin scams. If you go back to the thread when this was happening I literately called it a few hours before that's what it got reported as. Which is basically the experience I had working at AT&T Wireless as an outsourced call center, where there is a much more robust verification system that you had to do, for everyone, but it doesn't matter who the actual caller is, as long as they can verify the information. More than a few times people called in to "change" things on their spouses, and set passwords. There was also someone who said they were involved in law enforcement doing things with accounts that didn't match the voice on the other side. They straight up volunteered that info, and it's like . OK. There's no policy with what to do when you think someone might not be the customer. Heck when another AT&T wireless employee called, all you had to do was verify their employee id number... something that was just a list of names on a web page. So the most likely way to social engineer yourself into another company is to impersonate the last employee you spoke with. That is why customer service agents should not have real name policies. That is why internet forums should not have real name policies. That opens them up to all kinds of social engineering based on information that can be found on facebook alone.

 

Like social media ends up being really valuable, and the key to social engineering ones self into other systems. So said spear phishing was almost guaranteed to be someone who was on the inside, who knew or impersonated the employee who was "hacked" to someone else at the company to get access to those tools. I'm sure whoever was implicated likely has "works at Twitter" on their facebook.

[HM-2]

1 hour ago, Kisai said:

I'm so sure law enforcement is eager to hire people who would vandalize an account on social media.

I never suggested they were- my point was to agree with @Master Disaster's point that LE can and do recruit from convicted hackers. Nothing to do with this case specifically, simply rebutting the notion that it's a "Hollywood fantasy" that it doesn't happen. It's not exactly common, but it definitely happens on a fairly regular basis, particularly in the case of skilled VXers and reverse engineers.

 

1 hour ago, Kisai said:

Social Engineering is not computer hacking

If you'd read my previous posts, you'd know I agreed with this sentiment.

 

1 hour ago, Kisai said:

Again, Mitnick is the right age to take advantage of the sheer lack of security phone and computer networks had.

Much of what Kevin did is still entirely applicable today. A lot of it falls within the realms of "physical penetration testing"- which is basically all about talking yourself into places you aren't supposed to be- through dumpster diving, well planned reconnaissance, confidence, guile, and generally having several good excuses for anything you're doing (plus a high-viz, lanyard and clipboard)

 

1 hour ago, Kisai said:

The solution in a lot of cases is not making more complicated passwords,

I don't recall anyone suggesting this as a solution. Password complexity always results in humans being a single point of failure as they need to be stored somewhere, whether that's in someone's head, a password manager, or on a postit note stuck to their keyboard. Forcing proper MFA for all accounts- none of this "get your passcode by SMS" bullshit, properly generated soft-token via an authenticator application on a different device or an actual physical hard token- is as close as you can get to a solution. But even that isn't infallible, as a local machine compromise effectively invalidates and bypasses MFA if an attacker can steal an active, authenticated session. Not easy but very much within the bounds of practicality for people who are technically proficient.

[Kisai]

9 hours ago, HM-2 said:

Much of what Kevin did is still entirely applicable today. A lot of it falls within the realms of "physical penetration testing"- which is basically all about talking yourself into places you aren't supposed to be- through dumpster diving, well planned reconnaissance, confidence, guile, and generally having several good excuses for anything you're doing (plus a high-viz, lanyard and clipboard)

 

Just to continue...

 

https://www.chicagotribune.com/nation-world/ct-nw-nyt-twitter-hack-teen-20200803-46qsw3ajnnh23aapjxzjyx62sm-story.html

 

Quote

In 2016, Clark set up a YouTube channel, according to social media monitoring firm SocialBlade. He built an audience of thousands of fans and became known for playing a violent version of Minecraft called Hardcore Factions, under user names like “Open” and “OpenHCF.”

But he became even better known for taking money from other Minecraft players. People can pay for upgrades with the game, like accessories for their characters.

One tactic used by Clark was appearing to sell desirable user names for Minecraft and then not actually providing the buyer with that user name. He also offered to sell capes for Minecraft characters, but sometimes vanished after other players sent him money.

Clark once offered to sell his own Minecraft user name, “Open,” said Nick Jerome, 21, a student at Christopher Newport University in Virginia. The two messaged over Skype and Jerome, who was then 17, said he sent about $100 for the user name because he thought it was cool. Then Clark blocked him.

“I was just kind of a dumb teenager, and looking back, there’s no way I should have ever done this,” Jerome said. “Why should I ever have trusted this dude?”

So this kid is purely a scammer. The stupid kind.

Quote

Xio, who became close friends with Clark, said the April run-in with the Secret Service shook Clark.

“He knew he was given a second chance,” Xio said. “And he wanted to work on being as legit as possible.”

But less than two weeks after the Secret Service seizure, prosecutors said Clark began working to get inside Twitter. According to a government affidavit, Clark convinced a “Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal.”

For help, Clark found accomplices on OGUsers, according to the charging documents. The accomplices offered to broker the sale of Twitter accounts that had cool user names, like @w, while Clark would enter Twitter’s systems and change ownership of the accounts, according to the filings and accounts from the accomplices.

Can't even go two weeks without crime'ing. Don't give this kid a security job, he will be working to undermine the company within days.

[Korben]

Found this:

 

Quote

"Cyber criminals will not find sanctuary behind their keyboards."

I couldn't help but get reminded of some typical FBI guy from the movies. Very stiff and with weird fetishes. Well, it got me smiling

 

The case had so much publicity, it might be hard to get a fair proceeding.

 

(Source:  https://www.engadget.com/teenager-arrested-twitter-bitcoin-hack-183302700.html?utm_campaign=homepage&utm_medium=internal&utm_source=dl)