Twitter says a “phone spear phishing” attack helped hackers – what’s that?

Graham Cluley
@gcluley

Twitter has released some more information about the hack it suffered earlier this month that saw high profile accounts breached, and hijacked to post a cryptocurrency scams.

Victims of the attack, which was perpetrated by hackers with access to Twitter’s internal account management support tools, included Amazon’s Jeff Bezos, Elon Musk, Bill Gates, Joe Biden, Barack Obama, and Kanye West.

Twitter’s latest update on the incident includes some further information about how hackers were able to breach its security, and debunks the notion that an employee deliberately assisted:

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools.

So, the obvious question is – what’s a “phone spear phishing attack”?

Twitter unfortunately has been frustratingly opaque as to precisely what it means by the term, but here’s my best guess at what happened:

A targeted Twitter employee or contractor received a message on their phones which appeared to be from Twitter’s support team, and asked them to call a number.

When the worker called the number they might have been taken to a convincing (but fake) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over their credentials.

The Twitter employee or contractor, thinking they were speaking to a legitimate support person authorised to have access to sensitive information, might be more likely to reveal more details on the phone than they would via email or a conventional phishing website.

Equally the conversation could be initiated by a scammer calling the employee, perhaps using a VOIP phone service and using caller ID spoofing to pretend to be ringing from a legitimate number. They could then direct the unsuspecting employee to a phishing page, designed to steal credentials.

Sign up to our newsletter
Security news, advice, and tips.

Attacks like the above can, of course, be even more successful when your staff are forced to work remotely because there’s a global pandemic.

That’s my guess regarding what happened anyway. Maybe Twitter will be a little more transparent in time.

If Twitter workers had been given the genuine support number in advance (rather than trusting one given to them via a phone message), and trained to always call that legitimate number, then maybe the attack would have been less likely to succeed.

Just because someone sounds friendly and helpful on the phone does not mean they should be trusted. It can feel socially awkward to be obstructive and unhelpful – especially when you believe you are speaking to a “support person” who appears to be helping you – but you should always be on your guard.

Since the attack it has been revealed that over 1000 Twitter staff and contractors had access to the internal tools that helped hackers hijack accounts.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One comment on “Twitter says a “phone spear phishing” attack helped hackers – what’s that?”

  1. Notwithstanding the social engineering attack, why on earth would so many employees of Twitter have access control privileges that allowed the administration of any accounts, let alone the high profile accounts that were compromised? Surely this level of access should only be made when and if the problem management system has a reported and recorded issue that requires a fully auditable fix, and for a accounts flagged as high profile, 2FA and indeed dual authorisation. Interesting that the Orange man's account wasn't hacked. Kanye West probably thought he'd put out his own 'bitcoin' message in that his tweets make the Donald's look calm and to the point! Wtf has US politics become? Demon Sperm!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.