Twitter says the Bitcoin scammers who sent out messages soliciting bitcoin donations able to do via a social engineering attack targeting its employees who had access to access internal systems and tools.
Verified accounts with huge followings such as Barack Obama, Bill Gates, Kanye West, and Elon Musk have been affected.
Corporate accounts such as Apple and Uber have also been compromised. Verified accounts were temporarily blocked from tweeting by the company as part of its response.”
In a series of tweets the social media company explained its initial findings.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
According to the company, “Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers. We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.”
“This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but we may take further actions and will update you if we do.”
Twitter says it has locked compromised accounts will restore access to the original account owner only when it is certain it can do so securely.
The company also said it has now taken significant steps to limit access to internal systems and tools while its investigation is ongoing.
One born every minute
And yes, remarkably the scam has worked at least to a small extent, with analysis by Tenable suggesting it has so far netted $50,000.
The fake messages vary but typically include the following, “I am giving back to my community due to COVID-19. All bitcoin sent to my address will be sent back doubled. If you send $1000 I will send back $2000” and then a url to click through to.
This list, compiled earlier today by MIT’s largest research lab shows the sheer scale of the reach of the scam
Compromised accounts: Barack Obama (120m) -Bill Gates (51m) -Elon Musk (37m) -Wiz Khalifa (36m) -Kanye West (30m) -Joe Biden (7m) -YouTube’s MrBeast (6m) -Apple (5m) -Mike Bloomberg (3m) -Jeff Bezos (1.5m) -Uber (1m) –Bitcoin (1m)
A Twitter support message acknowledged the issue, noting “We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.”
According to Satnam Narang, Staff Research Engineer, Tenable, who blogged about this very issue back in March, “Several notable Twitter accounts in the cryptocurrency space have seemingly been hacked in a mass coordinated attack, including exchanges like @Coinbase, @Binance, @Gemini, @KuCoin, @Bitfinex, CEOs and founders like @CZ_Binance, @JustinSunTron, @SatoshiLite, cryptocurrency accounts like @TronFoundation, to promote a COVID-19 cryptocurrency giveaway scam.”
He said the accounts tweeted that they “partnered with” a company called CryptoForHealth. “The domain for this website was registered on July 15. The website itself claims that, to help with the hard times endured by COVID-19, they’re partnering with several exchanges to provide a “5000 Bitcoin (BTC) giveaway” which is a ruse for advanced free fraud.
“In separate but related attacks, the verified accounts of Bill Gates, Elon Musk and Uber were also compromised to promote a cryptocurrency giveaway. Their tweets used the same Bitcoin address we observed on the CryptoForHealth site, indicating that this is likely a coordinated attack.
Narang says that what makes this incident most notable, however, is that the scammers have managed to compromise the legitimate, notable Twitter accounts to launch their scams. “Because the tweets originated from these verified accounts, the chances of users placing their trust in the CryptoForHealth website or the purported Bitcoin address is even greater. This is a fast moving target and so far over $50,000 has been received by the Bitcoin address featured on the CryptoForHealth website and in Elon and Bill Gates’ tweets.”
Trust me not
At a time when the brand trust has re-emerged as a key competitive advantage, Twitter is simply the latest global business to have its lax security exposed, and to take damage as a result.
According to Aarron Spinley, SAP’s Growth and Innovation Evangelist, “When a brand delivers an experience or an outcome that is outside of the accepted norms or behaviour, or simply beyond the social contract that it has with its customers, it either plants the seeds of distrust or destroys trust altogether. What we’ve seen from the evolution of society and customer expectations, is that when this happens the prospect of recovery is limited, to none.”