Social Engineering Attack Enabled Hackers to Penetrate Twitter’s Administrative Systems and Hijack High-Profile Accounts
In one of the most extraordinary and high-profile cyberattacks ever made public, hackers on July 15 compromised Twitter’s administrative systems and hijacked the social media accounts of prominent politicians and business leaders. The attackers then used those accounts to masquerade as the victims and request donations in bitcoin.
Twitter said it was the victim of “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” The compromise enabled fraudsters to take control of these accounts and tweet on their behalf, the company said. 
The attack highlights the need for appropriate internal controls, as well as security awareness training to enable employees to identify and prevent sophisticated social engineering attacks, said Francis Gaffney, Director of Threat Intelligence at Mimecast. “Social engineering attacks are usually quite sophisticated and can involve substantial pattern-of-life analysis, including research of the target to craft specific bespoke lures,” he said.
“Appropriately managed access controls for administrative or supervisory accounts can assist in preventing the escalation of privileges, or abuse of permissions, that this particular attack relied upon,” Gaffney added. “These need to change to prevent further successful attacks like this one, which can cause massive reputational damage for any company.” 
Top Public Figures Targeted
The hackers used their administrative access to hijack the accounts of political figures such as former President Barack Obama, former New York City Mayor Michael Bloomberg and presidential candidate Joe Biden. The cybercriminals also hacked the accounts of corporate figures including Tesla CEO Elon Musk, Amazon CEO Jeff Bezos, Berkshire Hathaway founder Warren Buffett, Microsoft founder Bill Gates and the corporate accounts of Apple and Uber. 
In a statement, Twitter said it locked down the affected accounts and removed the tweets.  The company also said that internally, it had taken significant steps to limit access to internal systems and tools while it investigated the problem.
Security Awareness Training is Key
This breach has shone a spotlight on the dangers of social engineering attacks, as well as the potential impact of insider threats—whether unintentional or deliberate.
As Mimecast has stated, social engineering attacks can be extremely sophisticated and carefully researched and are mostly carried out for financial gain. “The threat actor studies the target’s online presence, including their use of social media, to identify social and family networks, favorite restaurants, hobbies, sporting or musical interests,”
The Mimecast State of Email Security 2020 survey found that 60% of companies have experienced an increase in impersonation fraud, which use social engineering methods, over the last year. “Human error is required for these attacks to be successful, which highlights the importance of regular cyber awareness training to increase employees’ knowledge about the methodologies used by threat actors,” said Gaffney.
However, many companies are leaving themselves vulnerable, he added. Among companies surveyed by Mimecast around the world, 55% do not provide awareness training on a frequent basis, and only 21% of companies offer monthly training.
Secure Sense understands the importance of ongoing employee security training to help reduce employee error and lower security risk. A Mimecast Security Awareness Training Solution effectively engages employees in a relatable workplace manner and provides training that addresses the root cause: human error.
Interested in learning more about Security Awareness Training? Contact Secure Sense at email@example.com.
Catch up on other blogs like this:
Threat Of Iranian Cyberattacks: What Are The Risks?
How To Protect Yourself From SMiShing Attacks
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.