[ad_1]
According to its website, Twitter explains that the reason for this chaos is the acquisition of access to administrative tools managed by Twitter employees. It could have happened because someone cheated or bribed a company employee into giving them access to their work tools.
B. Krebs described the process of carrying out this attack and provided information on the person believed to be the cook of all these porridge.
The first rings of this attack blossomed on Wednesday at approximately 10 p.m. Lithuanian time. At the time, Binance, a Twitter account owned by the cryptocurrency exchange, circulated a message stating that it had partnered with CryptoForHealth to distribute 5,000 bitcoins to the public (approximately € 40 million at the current exchange rate) and provided a link that people could use. Donate or send money.
In a few minutes, other cryptocurrency exchanges and celebrities circulated similar messages: US presidential candidate Joe Biden, former US President Barack Obama, former New York Mayor Michael Bloomberg, Amazon CEO, billionaire Jeff Bezos, SpaceX and Tesla. manager, as well as billionaire Elon Musk and another billionaire, investor Warren Buffet.
And while a person must be exceptionally naive and trustworthy to believe in such deception, analysis of the indicated bitcoin wallet activity revealed that up to 383 transactions came in per day, the total amount of which is almost 13 bitcoins or slightly more than 100 thousand. euros
Twitter responded with a message that “it detected a coordinated social engineering attack by individuals successfully targeting our employees who had access to the system’s internal tools. We know that by taking advantage of this access, they have taken over the Managing many known (as well as verified) accounts and sending messages on their behalf An investigation is underway into what other malicious activities these individuals may have performed, what information they had access to – the results of the investigation will be shared publicly “
According to Crews, there are strong reasons to believe that the authors of this attack were people who have traditionally stolen social media accounts using the so-called “SIM swapping” method, a popular method of cyber fraud in which employees of service providers Mobile or social media companies have a mandatory link. “hacking” of work accounts, giving subsequent access to the accounts of the victims,
The “fetish” of this particular cybercriminal community is the theft of specific Twitter accounts with short names. Accounts like @b, @joe, or @ 6 are called OG (from the original Gangster), which is indirectly translated as “serious suffering” accounts. Having an OG account is itself a measure of the specific status, influence and wealth in the SIM exchange community. Sometimes these accounts are traded in underground markets; They can cost thousands of euros or dollars.
In the days leading up to Wednesday’s attack on Twitter, there were some signs that this cyber scam community was trying to sell “the ability to change the email address associated with any Twitter account.” In a post on the Ogusers forum, which has stolen multiple accounts, a user named Chaewon claimed that he could change the associated email address of any Twitter account for $ 200 and give direct access to the selected account for $ 2,000-3,000.
“This is NOT a method, if for some reason you do not get a mailing address or account access, I will refund you all the money, but if the account is locked or suspended, I will not be responsible for it,” Chaewon said in a post. commercial offer.
A few hours before the spread of scam messages offering bitcoins, this character seems to have focused all his attention on certain OG accounts, including the @ 6 account.
Previously, the account belonged to Adrian Lamo, a “homeless programmer” who died in mysterious circumstances, who became famous for his piracy on The New York Times internal networks and for reporting on stolen US military documents. From Chelsea Manning. The account is now managed by Lamo’s old friend, a cybersecurity expert, and a so-called “phone letter” (a programmer looking for security holes in telecommunications networks) that was submitted only on behalf of his Twitter account, Lucky225.
He said Wednesday, just before 9 p.m. In Lithuanian times, you received a message via Google Voice with the account password reset code @ 6. Lucky225 said you had previously disabled text messaging as a way to obtain “two-factor authentication codes” from Twitter, using mobile authentication devices.
However, because attackers had already been able to change the email address associated with account @ 6 and disable the two-factor authorization process, a unique authentication code was sent to Lucky225 qwe’s Google Voice account and the email address belonging to the attackers.
“The attack works in such a way that Twitter’s administration tools appear to have the ability to change an email address for any user, and that address can be changed without sending any notice to the user.” Therefore, attackers may not notice the email address change at first and then disable two-factor authorization, ”said Lucky225.
The developer said he had not yet reviewed any messages sent from the account he had lost control of because he had not yet regained access to that account.
But at the same time that cybercriminals hijacked account @ 6, another OG account – @B – was stolen. And Twitter has posted images showing that someone using an @B account also uses Twitter management tools.
The real hosts of the social network reacted very quickly and fiercely to the distribution of such photos: all messages with similar or similar photos were removed from the social network, and in some cases the accounts from which those messages were distributed were suspended.
An account, @shinji, which distributed images from Twitter’s administration tools, has been permanently terminated. But before the cancellation, its host managed to type, “follow @ 6”, indicating an account that had just been stolen from Lucky225.
In the web history file, you can still find one or another tweet posted by your @Shinji account. They boast that they have two OG accounts on Instagram: j0e and dead.
Meanwhile, a source working in the cybersecurity department of one of the top US mobile operators learned that the dead and j0e accounts were linked to the famous SIM exchanger, known by the nickname PlugWalkJoe. Investigators have been monitoring the figure for some time, identifying it as a person involved in various SIM swap attacks for many years, even before the theft of bitcoins was not a fancy way to make money.
The same person is also identified as one of the main members of a group of SIM exchangers called ChucklingSquad. And the group is said to have taken over even @jack, the founder and CEO of Twitter @Jack, the founder and CEO of Twitter, after cybercriminals attacked communications provider AT&T last year. phone number and through it to your Twitter account.
Sources from the cybersecurity department of mobile service providers indicate that PlugWalkJoe is, in fact, a 21-year-old man living in Liverpool, UK, with Joseph James Connor as his true commander. He is currently believed to be living in Spain, having studied at a university in that country earlier this year. He was unable to return home due to travel restrictions imposed following the announcement of the COVID-19 pandemic.
Krebs learned that PlugWalkJoe had recently become the subject of a study, one of the researchers, a woman hired to chat with PlugWalkJoe, was able to persuade her to join a video call. And the record of this call shows a unique group, which is also visible in the PlugWalkJoe instagram account.
And if, in fact, the suspicions of security experts are confirmed, when the fact that a cybercriminal using social engineering methods for criminal activities was identified by investigators using social engineering methods, it will seem ironic.
At the same time, it is appreciated that this criminal lacked ambition or malice and did not think of interfering in electoral political processes, stock market activities, attempts to spread provocative messages from the Twitter accounts of the heads of state, thus inciting international discord and perhaps even war.
It also seems clear that the authors of this attack had the opportunity to see the personal correspondence of any Twitter user; Such information is difficult to quantify, but it would certainly be of interest to a wide range of actors: states, companies, individual blackmailers.
[ad_2]
