It started with a phone call, moved on to scamming unsuspecting victims out of Bitcoin, and ended in the arrests of three people, including a Florida teenager.

The July 15 hijacking of about 130 high-profile and verified Twitter accounts, including those of Bill Gates, Elon Musk, Barack Obama and Joe Biden, scammed dozens of people out of about $120,000 worth of bitcoin. The incident, which gained worldwide attention, contained a bit of everything, including a celebrity element and questions about the reliability of messages posted on one of the world’s largest social media platforms.

The arrests of a 17-year-old and two others in connection with the hacking case by the U.S. Justice Department and state prosecutors in Florida also reveal how rather basic hacking techniques, such as phone phishing and SIM swapping, can affect the security of an entire organization, leaving employees and internal resources open to attack.

“We still don’t know exactly what happened with Twitter, however, they’ve acknowledged that the incident was started by a phone spear phishing attack,” Hank Schless, a senior manager for security solutions at Lookout, told Dice. “Regardless of what happened with Twitter, this should be a wakeup call to everyone that phones and tablets need to be at the center of their overall security strategy. Your employees’ mobile devices have as much access to corporate data as most any laptop or desktop. So they shouldn’t be treated as afterthought to traditional endpoints and infrastructure.”

Go Phish

Many of the specific details of what happened to Twitter and the verified accounts are not known yet, but the Wall Street Journal reported that Graham Ivan Clark, a teenager from Tampa, helped mastermind the hacking incident, first by phone phishing a company employee, and then by using a SIM swapping technique to help bypass security controls in order to gain access to Twitter’s internal systems. SIM swapping is an increasingly popular hacking technique that starts by convincing a mobile operator's customer service employee to move a cell phone number to a different SIM card—a swap—or port it to another carrier.

This hacking method has been increasingly used over the last two years by hackers and cybercriminals to manipulate social media accounts and imitate executives in order to pull off other different types of fraud and account takeover attacks.

In addition, it appears that Clark and the other suspects also used additional phishing tactics and fake domains in order to capture other Twitter employees’ credentials, according to the Journal’s account. 

These types of targeted spear-phishing attacks are much prevalent and show that some hackers will use specific methods to target the data or information that they want, said 

Daniel Norman, a research analyst at the Information Security Forum, a London-based authority on cyber, information security and risk management.

“Phishing has been a prolific threat to organizations for many years now,” Norman told Dice. “Typically, attackers use ‘spray and pray’ techniques, creating and spreading generic fake emails to cover the widest attack surface as possible. However, as individuals become more aware of this threat, attackers are using far more targeted methods with greater success: spear phishing.”

Michael Thoma, principal consultant at the Crypsis Group, a Virginia-based incident response, risk management and digital forensics firm, notes that while many have taken Twitter to task over the security lapses that led to this hack, other companies are vulnerable to the same methods allegedly used by the suspects in the case.

“Threat actors will continue to look for ways to exploit a targeted business if the first line of attack fails. If they can’t succeed via a phishing email, they may use another communications channel, such as the phone—as used in the Twitter case,” Thoma told Dice. “There are limited technical controls that can be applied here, which is why policy governance and security awareness training are just as important as technical controls. The communications attack surface has expanded, with the majority of workforces transitioning to all or partial remote models in response to COVID-19.”

One way that CISOs and their teams can mitigate the use of phishing and social-engineering techniques that target specific employees is to create a security awareness program, which includes end-user training, the development of strong internal policies and procedures, and reinforcement using actionable metrics that drive meaningful improvements.

“It’s important to understand the organizational weaknesses and progress,” Thoma said. “Red team exercises as well as continuous simulated phishing campaigns on staff provide information on where to focus more attention.”

Lessons Learned

ISF’s Norman noted that there are three concrete steps organizations can take away from what happened at Twitter and apply to their own security policies and training.

Educating employees about new delivery mechanisms: Attackers are shifting away from email-based attacks to smishing (SMS or WhatsApp-based attacks) and vishing (voice-based attacks). With many, if not all, organizations running some type of email-based phishing campaign, there’s a fresh need to use these newer attack methods to test employees’ responses and make them more aware of how they are specifically targeted.

Preventing attackers from gathering information: Organizations should frequently engage with the workforce to educate them on how to mitigate the risk of spear-phishing before it actually happens. For example, attackers are now using readily available open-source intelligence online to build believable profiles to target certain individuals. Employees can reduce the amount of information available online and on social media. In addition they can put controls in place to prevent attackers from getting to their information so quickly, such as applying privacy settings in certain apps.

Improving the management of the risks: Businesses and organizations should carry out role-based training to see how employees at all levels react to spear-phishing and other hacking techniques. For instance, senior executives, financial and personal assistants receive a far greater number of spear phishing emails, so these employees should receive tailored and ongoing education and training. 

Security teams should also provide workers with the tools to quickly and easily report incidents, such as a phishing email alert button. There should also be procedures in place to prevent single points of failure. During financial transactions, Norman suggests that there should always be a second pair of eyes, or confirmation mechanism to add an extra layer of security.

“For the average person, they need to learn how to identify phishing attacks,” Lookout’s Schless said. “This applies whether you’re using a personal device or a corporate-issued one. They need to understand that phishing isn’t just an email-based scam that you open on desktop computers. From WhatsApp and Instagram to text messages, there are countless ways for phishing links to be delivered. Your employees can be both your strongest defense and your weakest link against mobile phishing depending on how well they’re trained to pick up on these attacks and report them.”