** Update ** According to multiple reports, including Bloomberg (August 1) – “The alleged mastermind behind the July 15 hack of Twitter accounts of business titans, celebrities and a former president didn’t need sophisticated hacking tools to pierce the company’s security system. Rather, he convinced an information technology employee at Twitter that he was a colleague who needed login credentials to access the company’s customer support platform, according to law enforcement officials.”
Additional light is beginning to shine on the July 15th Twitter breach, where accounts of some of its most high profile users – including Tesla CEO Elon Musk and celebrities Kanye West and his wife, Kim Kardashian West – were compromised. The attackers attempted to lure the celebrity followers into sending money to an anonymous Bitcoin account.
According to Twitter’s blog, a “phone spear phishing attack” was used to target a small number of its employees.
“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools,” it writes.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter added, dubbing the incident “a striking reminder of how important each person on our team is in protecting our service.”
It now says the attackers used the stolen credentials to target 130 Twitter accounts — going on to tweet from 45; access the DM inbox of 36; and download the Twitter data of seven. All affected account holders have been contacted directly by Twitter at this point, per its blog post.
What is phishing?
Phishing attacks are usually performed by impersonating a trustworthy entity, making the victim think they are providing the information to a trusted party. Nefarious individuals will target individuals using mail, desktop computers, laptops, mobile devices and, as it is being reported – but not confirmed – by multiple sources in this instance, phone calls.
Through phone call spear-phishing, commonly known as vishing, criminals use friendly persuasion and trickery to get individuals to hand over whatever information they are looking for – – usernames, passwords, social security numbers, etc.
Mobile devices are a major target
Zimperium, the global leader in mobile device and app security, protects against mobile phishing attacks.
With smaller screens, and less space to identify troublesome URLs, phishing attacks on mobile devices are becoming more prevalent and successful. Some studies estimate 90 percent of emails are read on mobile devices and a significant percentage of successful phishing attacks are through mobile.
We’ve all received emails claiming our account on a social network may be compromised and we need to answer with our credentials to check if this is the case. We’ve also probably received offers to buy products online by a third of what they actually cost, and we’ve also probably inherited a fortune from an unknown distant relative who, for some reason, knew about us and left us all he had.
Another use for phishing attacks is to trick the victim into downloading and installing malware, which allows the attacker to access the device whenever he/she wants to do so.
There are several different types of phishing attacks: deceptive, spear (or whale), clone, smishing and domain spoofing/link manipulation. Definitions are sometimes blurry and can change from one source to the other.
Let me be clear about one thing: At Zimperium, we are always very honest about the risks we detect and mitigate and those that we do not. For example, if the Twitter attackers truly did “vish” the employees, we would not have detected it (we aren’t sure if any technology would).
However, when it comes to the majority of the vectors hackers try to exploit in mobile phishing attacks – corporate email, personal email, SMS, messaging apps, etc.- our customers are protected. As a matter of fact, we continue to see increases in phishing attacks (and other threats launched against mobile devices) coinciding with the pandemic.
How does Zimperium do it?
Zimperium’s patented, machine learning-based engine that we call z9, runs completely on-device, immediately identifies even brand new phishing attempts and protects the user and their privacy without sending any data to the cloud.
z9 works independently of where the attack is coming from, meaning Zimperium customers are protected regardless of the delivery method used by an attacker (SMS, email, WhatsApp, Messenger, etc.,) or even user misbehavior (a user clicking on a phishing link while browsing).
If you’d like to learn how to secure your mobile devices from phishing attacks, please contact us. We are here to help.
The post Twitter Hack Highlights the Realities of Mobile Phishing appeared first on Zimperium Mobile Security Blog.