As noted in previous articles, hacker’s tactics are changing rapidly. They are becoming more sophisticated, using social engineering and gaining access to sensitive information with relative ease. Many businesses have some form of training on cybersecurity and phishing schemes as phishing is the number one vector chosen by hackers due to its effectiveness, but the levels of education and training provided to non-technical employees is not adequate. Yesterday, the public learned from Twitter what cybersecurity professionals already know: Employees are every company’s weakest link.
Employees are the weakest link because people are easier to hack than machines. Sophisticated social engineering phishing schemes are designed to get you to give up your credentials for a website. The hacker who obtains this information will then use those credentials everywhere someone might possibly have an account, looking to gain access. This is what happened with Twitter’s Bitcoin scam.
The New York Times states, “Twitter’s investigation into the breach revealed that several employees who had access to internal systems had their accounts compromised in a “coordinated social engineering attack,” a spokesman said, referring to attacks that trick people into giving up their credentials. The attackers then used Twitter’s internal systems to tweet from high-profile accounts like Vice President Biden’s.
“We’re looking into what other malicious activity they may have conducted or information they may have accessed,” Twitter’s spokesman added. “We’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing.””
The article also includes a screenshot of the tweet that went out on the high-profile accounts, which included Joe Biden, Barack Obama, Elon Musk, Kanye West, Bill Gates and more. Twitter did their best to control and shut down the attack, but it wasn’t pretty. They are also extremely lucky that the hackers, who have not yet been identified, didn’t cause more havoc. They simply asked for Bitcoin, when they could have caused much more detrimental damage with access to internal systems. The fact that more damage wasn’t done points to a likely amateur hacker, not a nation state or other known organization, unless this is just the beginning.
Still, this attack points to the exact reasons why IAM controls, cleaning up accounts, strong passwords, and cybersecurity education and training is crucial. To be frank, IAM controls are extremely important as is cleaning up accounts, but the most important piece of ensuring cybersecurity at your business is to fully educate your employees on phishing schemes and passwords. Provide them with a password manager which can generate a lengthy, random password that they don’t even know. Use MFA and 2FA for especially sensitive information or access, if not all the time. Continue education on at least a quarterly basis, updating training as new tactics by hackers come to light.
There are ways to protect your business from hackers and would-be thieves. These bad actors are all after one thing: information and data that they can sell to the highest bidder or use to extract a ridiculous ransom to get the information back. Insider threats don’t have to be intentional to have a detrimental impact. And if your business gets had by someone who’s not an amateur, the damage done will be far worse than a few tweets requesting Bitcoin.
People aren’t going to stop using Twitter, it’s too ingrained into their every day lives and routine. The will, however, find a different place to get a product similar to yours if their information is exposed on your watch. Once that trust is broken, your business reputation is tarnished. You lose money on restitution, legal fees, fixing the problem and losing a portion of your customer base. Recovering from that is no easy feat. Even Twitter is going to suffer for their breach, but a multi-billion dollar company is far more capable of bouncing back than a small business which doesn’t have the assets to fall back on. Do your due diligence. Protect your assets, your customers, your employees and your proprietary information. Educate, train regularly, use password managers and employ proper IAM controls.