Twitter is Dead to Me – What Really Happened This Week

As you probably know, Twitter got hacked (again) Wednesday. Many high-profile users appeared to tweet a bitcoin scam. The hack looked too easy: Maybe I’ve had enough of Twitter now.

Ah, the Californian Blue. What’s wrong with it? It’s dead—that’s what’s wrong with it.

Beautiful plumage. Lousy security.

Any news on what actually happened? Of course! Read on. In today’s SB Blogwatch, we pine for the fjords.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 화성에서 디제이.

Avian Blu’

What’s the craic? Aunty’s Joe Tidy and David Molloy answer—“What happened?”:

 On [Wednesday] a number of Bitcoin-related accounts began tweeting what appeared to be a simple Bitcoin scam. [It] spread to mainstream celebrity accounts such as Kim Kardashian West and former vice-president Joe Biden, and those of corporations Apple and Uber. [Hackers] had somehow gained access to Twitter’s own internal administration tools.

Clues about those responsible are surfacing. … An advert on a hacker forum [claimed] to be able to steal any Twitter account by changing [its] email address. [This was] at least 36-48 hours before the Bitcoin scams began appearing.

The concern is that this hack might not be over if the attackers copied — and still possess the private Direct Messages of the accounts over which they took control. … The private messages of Kayne West, Kim Kardashian West and Elon Musk could be worth money on dark web forums.

The private messages of presidential hopeful Joe Biden or former mayor of New York Michael Bloomberg could also have political consequences.

And Mike Isaac, Sheera Frenkel, Nathaniel Popper, and Kate Conger line up—“Even some basic questions … remain unanswered.”:

 The hack, and the company’s inability to quickly figure out what happened, is a major embarrassment for Twitter. … The hack of high-profile accounts to share a scam showed that Twitter remained unprepared for the security threats it faces.

Security researchers also questioned why Twitter did not have better safeguards to monitor suspicious activity on employee accounts. … Experts believe that depending on the length of time the hackers had administrative access, more fallout could be in store..

President Trump’s account was not affected by the breach. [His] account got extra protection after past incidents, according to a senior administration official and a Twitter employee, who would speak only anonymously because the security measures were private.

So who did it? All aboard the Brian Krebs cycle—“Who’s Behind Wednesday’s Epic Twitter Hack?”:

 There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping,” [which] involves bribing, hacking or coercing employees at mobile phone … companies into providing access. [On] a forum dedicated to account hijacking, a user named “Chaewon” advertised they could change email address tied to any Twitter account for $250.

Investigators have been tracking … a notorious SIM swapper who goes by the nickname “PlugWalkJoe,” … because he is thought to have been involved in multiple SIM swapping attacks over the years that preceded high-dollar bitcoin heists. [A] source said [he] was a key participant in a group of SIM swappers that adopted the nickname “ChucklingSquad,” [and] was thought to be behind the hijacking of Twitter CEO Jack Dorsey‘s Twitter account last year.

[My source said] PlugWalkJoe in real life is a 21-year-old from Liverpool, UK named Joseph James Connor. The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year.

But why didn’t the victims get notified at their old email addresses? Luckily, Jered Morgan—@Lucky225—is here to break it down:

 As we now know from Twitter and various other sources the attackers had social engineered Twitter admin panel access from Twitter employees. … Attackers were able to use the portal access to update the email address on file for the account, revoke any 2FA settings, and then do a password reset to gain access to the account.

When a Twitter employee updates the email address on file it doesn’t send a notification to the owner of the account, so after the email address is updated an email about 2FA being revoked goes to the new email address. And then when they perform a password reset it goes to the new email address as well … never alerting the real owner of the account that anything has happened.

The tl;dr is attackers would:
1) change email address on file,
2) revoke 2FA via Twitter admin tools, and
3) perform a password reset.

Wait. Pause. DeWitt Clinton—@dewitt—says it wasn’t a SIM swap:

 Heard back from a few off the record that this wasn’t simjacking.

For those saying “I can’t believe they burned those accounts just for a bitcoin scam” — they didn’t. … The real scam (blackmail) can happen at their leisure now.

The perpetrators can now prove they … hold the data. … I better not be wrong about this. I refuse to believe I’m a better evil genius than actual evil people.

How should Twitter fix the problem? Slashdotter slashmydots has a suggestion:

 Who was behind the incident? Stupid people who shouldn’t own bitcoins.

Anyway, you’d think there’s a “who did this” logging thing where employees are logged in as themselves so they can trace back an email reset to a human being. If not, holy ****, change it so it works that way, Twitter!

With a more reasoned viewpoint, Here’s Alex Stamos:

 There are many changes that Twitter can make to reduce the risk from customer service functions, such as creating two-person flows and performing risk-based auth. No coverage of this issue should ignore that major mobile providers are still struggling with stopping SIM swaps.

So just a bribe? Or a real hack? thondwe has a theory on that:

 Assume most Twitter Admins working from home, so remote access a given. … VPN’s have holes (several high profile solutions have had exploits exposed recently).

But gl4ss sees through the implications: [You’re fired—Ed.]

 Why would any company or country use Twitter for releasing any official information when the company is such a ****storm? Twitter probably did not have any safeties on customer reps … so some rep started selling [access].

It’s really crazy to operate in that way.

Pretty transparent scam though. Arthur the cat knows what he’d do differently:

 Ignore their scam, my scam can increase your [money] 100-fold! There will be a small administration fee payable up front.

Meanwhile, Warez shakez their head:

 They have full access to the most powerful Twitter accounts in the world and they scam bitcoin? What a bunch if amateurs.

And Finally:

딸랑이 춤

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Katja Just (via Pixabay)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 452 posts and counting.See all posts by richi