As of 2020, high-profile hacks are no longer a massive surprise. A hundred thousand data breaches after the great Target breach of late 2013, and the world has more or less gotten used to hackers getting into places they ought not be, and making off with money or data that they ought not have. And while the threat of cybercrime has only grown in the wake of the COVID-19 pandemic, the collective bandwidth for worrying about it outside of dedicated segments has fallen off some. No one wants to get hacked, but people are fairly used to living with the risk, and in the face of a global health emergency and economic meltdown people can only keep so many worries top of mind.
And then there was the big Twitter hack coming through to remind us that it is a risk for literally everyone. Hacks are an unfortunately common reality, but a hack that successfully captures the Twitter profiles of Elon Musk, Joe Biden, Jeff Bezos, Michael Bloomberg, Kim Kardashian West and Bill Gates (among other high-profile people) and gets them to entreat their tens of millions of followers to send money to a bitcoin address stands out. Apart from celebrities, Apple and Uber were also tagged in the hacking event that occurred Wednesday (July 15).
The messages from hackers masquerading as high-profile people all had a similar tone and mentioned an intention to double and redistribute all funds donated in bitcoin to those who paid in. Most mentioned “feeling grateful” or a desire to “give back to my community.” Twitter caught the hackers and temporarily disabled all verified accounts to stop the message from being circulated — but before Twitter managed to pull the plug press reports indicated that scammers made off with more than $117,000 sent to two accounts via some 401 transactions, according to tracking website blockchain.com. A CBS News report put the figure at more than $118,000.
The hacked account fundraising session was part of a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” according to Twitter.
“We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” the company tweeted. “We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.”
Twitter has also said it has taken steps to limit access to internal systems and tools while it investigates how the most recent — and largest in history — Twitter heist was pulled off.
The attack has also drawn the eye of legislators, specifically Senator Josh Hawley of Missouri, who as of Wednesday (July 15) had written Twitter CEO Jack Dorsey looking for a fuller explanation of how cybercriminals has managed to get through Twitter’s two-factor authentication.
“I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself. As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service,” Hawley wrote. “A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”
And in fact, social engineering, though it has gotten a very public introduction by being used successfully to capture the accounts of some of the world’s best known and most high-profile people, is far from a new thing. Social engineering has been around and on the rise for a while, and though the exact form of the attack varies they all rely on the same basic principle — human beings are easier to trick than technology. And as U.S. Secret Service Special Agent in Charge Thomas C. Edwards noted in a conversation with Karen Webster and Visa Vice President of North America Risk Lori Hodges, we are in many ways of living in a golden era for opportunity fraudsters looking to hack the human weakest link in the chain.
“This is a once-in-a-lifetime target-rich environment for fraudsters,” Edwards said. “The number of people that are potential targets, that could be easily duped by sophisticated cons, is the greatest I’ve ever seen in my life.”
Thanks to more than a half decade of data breaches, there is a lot of easily available consumer data floating around out there that fraudsters can get their hands on for relatively little money.
That data, he noted, can be used by fraudsters to get someone to voluntarily do something they ought not. And the forms these frauds appear in is varied.
Targeting consumers, a social engineering fraudster will impersonate law enforcement, a bank or the IRS demanding payment. With enough data in their hands, those fraudsters can sound very convincing, he noted, and successfully play to consumers’ desperation or fear to override things they know — like not to give sensitive information to people who call them up demanding it out of the blue.
The small business variation on the social engineering scheme uses panic to override reason. Terry Roberds, director of corporate security for Missouri-based power company Ameren, explained to PYMNTS that could involve pretending to be a utility company that needs payment right now lest the power be turned off.
“You get a phone call on a Friday afternoon at 2 from someone claiming to be from Ameren, telling you that — for whatever reason — your payment hasn’t been received, and someone is going to come out within the next 30 to 40 minutes and disconnect your service,” he said. “They’re really counting on you to panic.”
Panic, and pay without thinking it through.
But not all social engineering is about generating fear. When social engineers reach out to customer service agents, for example, they work hard to impersonate the real account owner and create feelings of sympathy and camaraderie with the agent they are talking to — which in turn makes the sympathetic agent more likely to bend the rules and give them access to the data they need to more fully infiltrate the system and take over a real consumer’s account.
And social engineering, the Secret Service’s Edwards noted, is likely going to get worse. Because successful attacks often rely on a distracted and easily frightened user, he noted, they tend to spike in times of crisis.
“[In a] very difficult time for everybody, fraudsters jump on the opportunity and take advantage of people who are desperate,” Edwards said.
And, as Adrian Nish, head of threat intelligence at BAE, recently told PYMNTS, the pandemic is in many ways in an ideal time for fraudsters. The company is already seeing it in savvy social engineering attacks tuned in to people’s genuine need for more information or support regarding COVID-19.
“It’s not surprising. We call it the ‘lure du jour,’” Nish said. “I think a lot of these groups have identified coronavirus as something their targets would be desperate for information on.”
As for how to stop social engineering, that is tricky. In the short term, Twitter has pressed pause on service for many notable users and affirmed that it may be intermittently interrupted from here on out as the firm tries to make sure no other compromised accounts can cause trouble. The back-end investigation is ongoing, according to a public statement by CEO Dorsey.
As for the longer-term fix, consumer education seems to be the favored tool. The Secret Service’s Edwards and Visa’s Lori Hodges agreed that one can build the best technical locks in the world, but it won’t matter if a fraudster can convince someone inside to open the door.
People, they agreed, need to know that anyone calling looking for data should raise alarm bells, doubly so if they make threats on a time limit. If one wants to donate, go directly to the charity of choice, and avoid clicking links guiding you there. And most importantly, Edwards noted, people have to realize that fighting cybercrime is their problem too, and their vigilance is the best first line of defense against a fraud epidemic.
“Much like our public health officials have said people need to be careful and tell them how, law enforcement, credit card firms, insurance companies, we need to get the information out to consumers so they can protect their financial health as well as their physical health and flatten the curve on fraud,” Edwards said.