Andy Greenberg at Wired has published an interesting article, describing how there have been a spate of “phone spear phishing” attacks since celebrity accounts on Twitters were very publicly compromised last month.
You will remember that Twitter confirmed that members of staff were rung up by scammers, who then socially engineered their victims into handing over credentials which gave the hackers access to Twitter’s internal tools. Those tools, which should have only been available to authorised personnel (and perhaps, in retrospect, not 1000+ employees and contractors) could then be used to reset passwords and disable two-factor authentication.
According to New York-based security outfit Unit 221b, which has been helping the FBI with its investigation into the Twitter hack, the same “voice phishing” techniques have been used against banks, web hosts, and cryptocurrency exchanges, in recent weeks.
Meanwhile, Zack Allen of security firm ZeroFox tells Greenberg that the attacks do not appear to be state-sponsored, but instead are the work of organised youngsters:
He says he’s been shocked by the level of research that the hackers have put into their social engineering, scraping LinkedIn and using other data-collection tools to map out company org charts, find new and inexperienced employees—some even starting their very first day on the job—and convincingly impersonating IT staff to trick them.
If it’s true that the attackers are English-speaking teenagers, it certainly fits in with the profile of those who have been charged in relation to the Twitter hack so far.
And no surprises about LinkedIn being a key resource for the hackers. I’ve long thought it’s a much more valuable resource for criminals trying to learn more about your company and which worker they should target than it is for job seekers.
Of course, Twitter has made some noise in recent months about how it is encouraging workers to stay at home “forever”.
I can’t help but wonder if the fact so many of us are working from home right now, far removed from our colleagues and IT support departments, and dealing with the stresses and challenges that brings, might be increasing the likelihood that a “phone spear phishing attack” will succeed.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.