Jul 15, 2020 Twitter Hack Re-Emphasizes the Obvious
The big news tonight is that Twitter was hacked, and the accounts of various celebrities (Elon Musk, President Obama, Warren Buffett, Kanye West, and many others) sent out bogus requests for Bitcoin to their followers. As of right now the damage is $10 million and counting, and speculation is that Twitter was the victim of a nation-state attack (NSA).
Of course this is a black eye for Twitter, and it’s certainly possible the attackers were nation-state actors. And of course it’s bad news for those whose accounts were hacked, who (if nothing else) are experiencing reputational damage and potentially the inability to use their favorite communications mechanism for a while while Twitter investigates. (Not being able to send Tweets for a few hours or days! The inhumanity!)
With all due sympathy to those whose accounts were hacked, though, the attack is a mark-one mod-zero* example of a standard social engineering attack: Phishing.
Just because it comes via Twitter (versus email), from the accounts of celebrities (versus putative Nigerian princes), and requests Bitcoin (versus wire transfers of funds) doesn’t make it anything else. It’s the same old trick that first emerged in the last century, revamped and polished for this one.
Anyone clueless enough to believe an online request for money, and respond by sending it, has obviously failed Security Awareness Training 101. And if you’re a cybersecurity professional, you’d better hope your friends, family, and the employees of your organization aren’t among the ones so scammed, because it means you aren’t doing your job.
Just in case we all need a reminder, folks, remember the Three Rules of Phishing Protection:
1. Never send money (or equivalent) if asked online, unless you are certain it’s coming from a secured, authorized entity (e.g. a charity you’ve worked with in past).
2. Never click an online link if you have the least concern it might be malware.
3. When in doubt of (1) and (2), confirm in real life (IRL) with the person making the request. If you’re unable to contact the person making the request IRL (either because they’re too famous to talk to you or you have no way of reaching them) don’t respond and don’t send the money.
Those of us who use Facebook are well aware of these rules. (Well, most of us, anyway.) Facebook users experience these attacks on a regular basis, and it’s common to let friends know that one’s account has been hacked. It usually takes Facebook a day or two to clean things up, and it’s really not the end of the world.
I guess both my use of Facebook and my wariness mark me as a hardcore gen-Xer, because not only does this not seem like the end of the world (for Twitter or anyone else) it just appears to be a Blinding Flash of the Obvious. It’s surprising that people savvy enough to have Bitcoin would be clueless enough to fall for a basic scam, but sometimes the brightest people are the most clueless.
Maybe Twitter users have a thing or two to learn from Facebook.
Or maybe, you know, they could just follow the Three Rules of Phishing Protection…
*I grew up hearing “mark-one mod-zero” as a synonym for “basic, fundamental, simplest-case” from my Naval-officer father. It never occurred to me to look it up until today. So now you know, too!