Warn your staff about phone spear phishing attacks, as reports rise

Warn your staff about phone spear phishing attacks, as reports rise

Andy Greenberg at Wired has published an interesting article, describing how there have been a spate of “phone spear phishing” attacks since celebrity accounts on Twitters were very publicly compromised last month.

You will remember that Twitter confirmed that members of staff were rung up by scammers, who then socially engineered their victims into handing over credentials which gave the hackers access to Twitter’s internal tools. Those tools, which should have only been available to authorised personnel (and perhaps, in retrospect, not 1000+ employees and contractors) could then be used to reset passwords and disable two-factor authentication.

According to New York-based security outfit Unit 221b, which has been helping the FBI with its investigation into the Twitter hack, the same “voice phishing” techniques have been used against banks, web hosts, and cryptocurrency exchanges, in recent weeks.

Sign up to our free newsletter.
Security news, advice, and tips.

Meanwhile, Zack Allen of security firm ZeroFox tells Greenberg that the attacks do not appear to be state-sponsored, but instead are the work of organised youngsters:

He says he’s been shocked by the level of research that the hackers have put into their social engineering, scraping LinkedIn and using other data-collection tools to map out company org charts, find new and inexperienced employees—some even starting their very first day on the job—and convincingly impersonating IT staff to trick them.

If it’s true that the attackers are English-speaking teenagers, it certainly fits in with the profile of those who have been charged in relation to the Twitter hack so far.

And no surprises about LinkedIn being a key resource for the hackers. I’ve long thought it’s a much more valuable resource for criminals trying to learn more about your company and which worker they should target than it is for job seekers.

Of course, Twitter has made some noise in recent months about how it is encouraging workers to stay at home “forever”.

I can’t help but wonder if the fact so many of us are working from home right now, far removed from our colleagues and IT support departments, and dealing with the stresses and challenges that brings, might be increasing the likelihood that a “phone spear phishing attack” will succeed.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.