On July 15th, scammers successfully took over several high-profile Twitter accounts to promote a cryptocurrency scam that promised to give double the bitcoin (BTC) back to whoever sends BTC to a “contribution” address. Twitter made several statements through its official support account that they took steps to limit access to internal tools while the investigation is ongoing, and also confirmed that Twitter employees were targeted by a coordinated social engineering attack. Reporting by Vice.com based on interviews with alleged members of criminal forums suggested that a Twitter employee had been bribed to assist with changing security options for accounts using Twitter’s internal “Admin Panel,” but Twitter has not confirmed this report. As of July 16th, the scammers had successfully collected over 12 BTC (nearly $110,000) on just one of the addresses used in the scam. The Twitter accounts of @Uber, @Apple, @Bitcoin, @BarackObama, @JeffBezos, @JoeBiden, @elon_musk, @BillGates, @WarrenBuffett, @kanyewest, @wizkhalifa, @coinbase, @Ripple, @Gemini, @binance, @justinsuntron, @Tronfoundation, and @SatoshiLite were all hijacked. In the case of Bill Gates and Elon Musk, the scammers stated that they would give double the amount of BTC that is sent. Twitter took the unusual step of temporarily preventing all verified accounts from tweeting and suspending password resets on accounts while it attempted to get the situation under control.
This attack highlights the issue that security is not just a technical problem that can be solved through hardware and software – attackers quite often target employees with access through social engineering or even outright bribes to obtain access to sensitive accounts, systems, or data. Educating employees about social engineering techniques is a good first step, but regular testing through phishing simulations, penetration testing and other scenarios that show employees what social engineering attacks are like first-hand are critical parts of a security program. Any particularly sensitive or dangerous job duties, such as the ability to reset high-profile accounts or transfer large sums of money, should require a confirmation from two employees or auditing by a supervisor. When evaluating any alleged offer of free money from a celebrity or anyone else, the adage “If it sounds good to be true, then it is” holds true. If a victim sends any cryptocurrency to any of these “contribution” addresses, they will surely not get anything in return. Even CoinBase, a cryptocurrency exchange service, is beginning to block transactions to these addresses.