Hackers Take Over Apple, Uber, Prominent Crypto Twitter Accounts in Simultaneous Attack

[aum]

UPDATE: This is an ongoing situation. Click here for real-time updates.

 

Hackers pumping a crypto giveaway scam appear to have compromised the Twitter accounts of leading exchanges, individuals and at least one news organization.

• The unknown attackers tweeted identical messages promising that they were "giving back 5000 BTC ($45,889,950) to the community" on Wednesday afternoon from the accounts of Gemini, Binance, KuCoin, Coinbase, Litecoin's Charlie Lee, Tron's Justin Sun, Bitcoin, Bitfinex, Ripple, Cash App, Elon Musk, Uber, Apple, Kanye West, Jeff Bezos, Michael Bloomberg, Warren Buffett, Barack Obama and CoinDesk.
• Their messages, sent within minutes of each other, prompted readers to claim their rewards at an included link associated with "Crypto For Health."
• Changpeng Zhao, Binance's CEO, attempted to warn Twitter users that the Tweet was a scam within five minutes of the hack. But the attackers appear to have hidden his response and hacked him too.
• Kucoin was also targeted in the hack. CoinDesk's account was as well.
• Attempts to reach the hacked entities were not immediately successful.
• At least some of the compromised accounts have multi-factor authentication enabled, including CoinDesk's.
• The address linked to the scam appears to have received more than 11.3 BTC, or roughly $103,960.
• Shares of Twitter fell as much as 3% in after-hours trading.

Source

[Karlston]

A Twitter Hacking Spree Hits Elon Musk, Obama, Apple, and More

An unprecedented “security incident” has rocked Twitter—and scammers are making off with huge amounts of bitcoin. 

Photograph: Yasin Ozturk/Getty Images

 

 

Bill Gates. Elon Musk. Barack Obama. Jeff Bezos. Mike Bloomberg. Joe Biden. Kanye West. Those are just a handful of the major, million-plus-follower Twitter accounts that were compromised Wednesday afternoon, each in service of a bitcoin scam that has already earned the hackers behind it well over $100,000 in a few short hours. And counting. In response, Twitter appears to have blocked many, if not all, verified accounts from tweeting.

 

The trouble appears to have started in the early afternoon, Eastern time, when the accounts of several major cryptocurrency players were hacked within minutes of one another. Targets included Binance CEO Changpeng Zhao, the exchanges Bitfinex, Gemini, and Coinbase, the news site Coindesk, and several others. They all shared an identical message about “giving back to the community” and a link to a site called Cryptoforhealth. That page currently does not load.

 

The attackers soon moved on to high-profile tech executives, companies, celebrities, and politicians, who posted tweets with a more overt scam. The language has remained fairly consistent across the hacked accounts. “I am giving back to the community,” a typical victim’s tweet reads. “All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.” Numerous non-verified accounts also sent out similar messages, but it's unclear whether those accounts were also compromised or if some of them were bots.

 

All the messages appear to lead back to the same digital wallet, which received its first incoming transaction at 3:03 pm EDT. It has recorded around 300 transactions since, although several of those are outgoing. It's not clear at this time to where.

Screenshot: Brian Barrett via Twitter

This kind of bitcoin scam is a classic, although usually it involves people impersonating celebrity accounts rather than actually hacking them. We wrote about it a couple of years ago. A scammer creates a fake Elon Musk account, say, and promises to pay out a big chunk of bitcoin to anyone who sends a small amount to their digital wallet. And that’s the whole scam.

 

Or at least it was, until hackers figured out how to take over dozens of the most popular accounts on Twitter.

 

"These scams work because of a gambling mentality: Give a little bit of money, get a lot of money," says Ronnie Tokazowski, a senior threat researcher at the email security firm Agari. "Just the idea of risk versus reward. It's especially dangerous right now, because so many people are struggling.”

 

Twitter has experienced high-profile account takeovers in the past several years. An employee nuked Donald Trump’s account for 11 minutes in 2017. And more recently, a wave of hacks reached its apex when a SIM-swapping group that goes by “Chuckling Squad” managed to get the keys to Twitter CEO Jack Dorsey’s account.

Screenshot: Brian Barrett via Twitter

This current meltdown seems unlikely to be connected to SIM-card trickery; most of the accounts in question undoubtedly have multiple levels of protection in place. Coindesk specifically stated Wednesday that it had two-factor authentication enabled but was compromised all the same.

 

It's unclear who was behind the attack, but according to threat intelligence firm RiskIQ it appears to be an established group. Researchers from the company say they've identified 400 domains linked to the hackers, based on structural similarities with the initial site that had been circulated. The implicated domains include URLs that suggest affiliations with Bill Gates, Binance, Elon Musk, Tesla, Space X, and Walmart. "Looking at our historical data, we see that this infrastructure has been in use for quite a while," says RiskIQ threat researcher Yonathan Klijnsma. "That tells us this group has been copying brands and using their cryptocurrency schemes for a while, but compromising verified twitter accounts was a new attack vector for them."

Screenshot: Brian Barrett via Twitter

 

There has been speculation as well that the hacks might be related to a third-party app or service that has access to Twitter’s API. But multiple scam tweets appear to have been sent by the “Twitter web app,” which is to say, using Twitter in a browser. That source info can be faked, but that seems unlikely at this scale. All of which suggests that the hackers may have full access to these accounts, in which case they would also be able to read all of their private direct messages—a layer of exposure that in some cases should be even more alarming than the cryptocurrency scam.

 

"What really worries me is in a sense we got lucky because someone used it for some very public displays, some very public scam," says Andrea Barisani, head of hardware security at F-secure. "But what if you would use the same power to make some very subtle tweets affecting the stock market or political statements or something more scary."

 

“We are aware of a security incident impacting accounts on Twitter,” the official Twitter Support account tweeted Wednesday. “We are investigating and taking steps to fix it. We will update everyone shortly.” At 6:18 pm EDT, it followed up that "you may be unable to Tweet or reset your password while we review and address this incident." The limitations appear to affect verified accounts, many of which were restored in the hours after Twitter imposed the restrictions. At around 9:30pm ET, Twitter CEO Jack Dorsey tweeted that "we all feel terrible this happened," with a promise of a detailed explanation in the future.

At 10:38pm ET, the official Twitter Support account gave a more detailed explanation of the company's findings so far. "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the thread states. "We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."

 

It's unclear whether that information could potentially include direct messages sent to or from the affected accounts. Twitter also said that while most verified counts have had service restored by now, compromised accounts remain locked, and will be restored "to the original account owner only when we are certain we can do so securely." Twitter further said it would take steps to limit access to internal tools.

The explanation lines up with reports on social media and at Motherboard that indicated the hackers had access to internal Twitter tools, rather than attacking individual accounts.

 

A spokesperson for Bill Gates’ private office said in a statement, “We can confirm that this tweet was not sent by Bill Gates. This appears to be part of a larger issue that Twitter is facing. Twitter is aware and working to restore the account.”

 

Until it does, no Twitter user—especially those with large followings—should feel at ease. This is normally the time when WIRED would tell you to start using two-factor authentication (and you should!), but based on what we now know, that that wouldn't have protected you in the first place.

 

This story has been updated with infrastructure details from RiskIQ and Jack Dorsey and Twitter Support's tweets. We’ll continue to update this story as more details are available.

 

Additional reporting by Lily Hay Newman.

 

 

A Twitter Hacking Spree Hits Elon Musk, Obama, Apple, and More

 

[mp68terr]

Quote

...major, million-plus-follower Twitter accounts that were compromised...

Twitter is aware of the security incident. Other high-profile accounts were compromised in the past several years. Let's not worry, that's just an incident 

[coromonadalix]

We do love incidents  (sarcasm)   lolll   happens a lot lately ??

[PLASMA]

lol

[aum]

Hackers Convinced Twitter Employee to Help Them Hijack Accounts

 

After a wave of account takeovers, screenshots of an internal Twitter user administration tool are being shared in the hacking underground.

 

A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.

 

On Wednesday, a spike of high profile accounts including those of Joe Biden, Elon Musk, Bill Gates, Barack Obama, Uber, and Apple tweeted cryptocurrency scams in an apparent hack.

 

"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider. Motherboard granted the sources anonymity to speak candidly about a security incident. A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts themselves or gave hackers access to the tool.

 

The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool.

 

In all, four sources close to or inside the underground hacking community provided Motherboard with screenshots of the user tool. Two sources said the Twitter panel was also used to change ownership of some so-called OG accounts—accounts that have a handle consisting of only one or two characters—as well as facilitating the tweeting of the cryptocurrency scams from the high profile accounts.

 

Twitter has been deleting some screenshots of the panel and has suspended users who have tweeted them, claiming that the tweets violate its rules.

Do you know anything else about these account hijackings, or insider data abuse at other companies? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected].

The panel is a stark example of the issue of insider data access at tech companies. Whereas in other cases hackers have bribed workers to leverage tools over individual users, in this case the access has led to takeovers of some of the biggest accounts on the social media platform and tweeted bitcoin related scams in an effort to generate income.

 

The screenshots show details about the target user's account, such as whether it has been suspended, is permanently suspended, or has protected status.

 

One of the screenshots is a Twitter user posting images of the panel themselves. At the time of writing that account has been suspended.

 

One of the screenshots of the panel. Additional redactions by Motherboard.

 

Data breach monitoring and prevention service Under The Breach obtained a similar screenshot and tweeted it as the hackers hijacked several accounts. The person in control of the Under The Breach account told Motherboard Twitter then removed the tweet with the screenshot and suspended them for 12 hours. A message replacing the tweet now says it violated the Twitter rules.

 

A screenshot showing the panel's access to Binance, one of the hacked accounts. Image: Motherboard.

 

A Twitter spokesperson told Motherboard in an email that, "As per our rules, we're taking action on any private, personal information shared in Tweets."

 

After the publication of this piece, Twitter said in a tweet that "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."

 

Other hijacked accounts include Mike Bloomberg, and cryptocurrency platforms Coinbase and Gemini. The accounts falsely announced they had partnered up with an organization called CryptoForHealth which claims it was going to provide people with bitcoin as long as they sent some to an address first.

 

Shortly after the spike of takeovers, Twitter itself tweeted that users may be unable to reset their passwords or tweet while the company addresses the issue.

 

Within an hour of the breach, Republican Sen. Josh Hawley wrote a letter to Twitter CEO Jack Dorsey asking for more information about the hack, including how the hack occurred, how many users were compromised, and whether the hack affected President Trump's account. Hawley said "please reach out immediately to the Department of Justice and the Federal Bureau of Investigation and take any necessary measures to secure the site before this breach expands."

 

In 2017, a Twitter worker briefly deleted President Donald Trump's account before it was quickly reinstated.

Two former Twitter employees previously abused their access to spy on users for the Saudi regime, according to the Justice Department.

 

All tech companies face the issue of malicious insiders. Motherboard has previously revealed how Facebook employees used their privilege access to user data to stalk women; how Snapchat workers had a tool called Snaplion that provides information on users; and how MySpace employees abused a tool called "Overlord" to spy on users during the site's hayday.

 

Update: This piece has been updated to include a response from Twitter and more information from a SIM swapping source.

 

Source