Twitter says the hackers responsible for a recent high-profile breach used the phone to trick employees of the social media company into giving them access.
The company revealed a few more details Thursday night about the hack earlier this month, which it said targeted “a small number of employees through a phishing phone attack.”
“This attack was based on a significant and concerted attempt to trick certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company tweeted.
The embarrassing July 15 attack compromised the accounts of some of its most prominent users, including Tesla CEO Elon Musk and celebrities Kanye West and his wife, Kim Kardashian West, in an apparent attempt to lure his followers to they send money to an anonymous bitcoin. bill.
After stealing the credentials of the employees and entering the Twitter systems, the hackers were able to target other employees who had access to account support tools, the company said.
Hackers targeted 130 accounts. They managed to tweet from 45 accounts, access 36 direct message inboxes, and download data from Twitter from seven. Dutch anti-Islam lawmaker Geert Wilders said his inbox was among the people he accessed.
Spear-phishing is a more specific version of phishing, a phishing scam that uses email or other electronic communications to trick recipients into delivering confidential information.
Twitter said it would provide a more detailed report later “given the ongoing law enforcement investigation.”
The company previously said the incident was a “coordinated social engineering attack” that targeted some of its employees with access to internal tools and systems. It did not provide further information on how the attack was carried out, but the details revealed so far suggest that hackers began to use the outdated method of talking beyond security.
British cybersecurity analyst Graham Cluley said his assumption was that a specific Twitter employee or contractor received a message over the phone asking him to call a number.
“When the worker called the number, he could have been taken to a compelling (but bogus) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over his credentials,” Clulely wrote Friday. on his blog.
Hackers may also pretend to call from the company’s legitimate helpline by falsifying the number, he said.
