Twitter says a “phone spear phishing” attack helped hackers – what’s that?

Twitter says a "phone spear phishing" attack helped hackers - what's that?

Twitter has released some more information about the hack it suffered earlier this month that saw high profile accounts breached, and hijacked to post a cryptocurrency scams.

Victims of the attack, which was perpetrated by hackers with access to Twitter’s internal account management support tools, included Amazon’s Jeff Bezos, Elon Musk, Bill Gates, Joe Biden, Barack Obama, and Kanye West.

Twitter’s latest update on the incident includes some further information about how hackers were able to breach its security, and debunks the notion that an employee deliberately assisted:

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools.

So, the obvious question is – what’s a “phone spear phishing attack”?

Twitter unfortunately has been frustratingly opaque as to precisely what it means by the term, but here’s my best guess at what happened:

A targeted Twitter employee or contractor received a message on their phones which appeared to be from Twitter’s support team, and asked them to call a number.

When the worker called the number they might have been taken to a convincing (but fake) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over their credentials.

The Twitter employee or contractor, thinking they were speaking to a legitimate support person authorised to have access to sensitive information, might be more likely to reveal more details on the phone than they would via email or a conventional phishing website.

Equally the conversation could be initiated by a scammer calling the employee, perhaps using a VOIP phone service and using caller ID spoofing to pretend to be ringing from a legitimate number. They could then direct the unsuspecting employee to a phishing page, designed to steal credentials.

Attacks like the above can, of course, be even more successful when your staff are forced to work remotely because there’s a global pandemic.

That’s my guess regarding what happened anyway. Maybe Twitter will be a little more transparent in time.

If Twitter workers had been given the genuine support number in advance (rather than trusting one given to them via a phone message), and trained to always call that legitimate number, then maybe the attack would have been less likely to succeed.

Just because someone sounds friendly and helpful on the phone does not mean they should be trusted. It can feel socially awkward to be obstructive and unhelpful – especially when you believe you are speaking to a “support person” who appears to be helping you – but you should always be on your guard.

Since the attack it has been revealed that over 1000 Twitter staff and contractors had access to the internal tools that helped hackers hijack accounts.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.