Joe Biden, Elon Musk, Jeff Bezos and other high-profile Twitter account holders were the targets of a widespread hack to offer fake bitcoin deals on Wednesday in one of the most pronounced security breaches on a social media site. Accounts for former US president Barack Obama, Microsoft co-founder Bill Gates, musician Kanye West and both Uber and Apple also posted similar tweets, all instructing people to send cryptocurrency to the same bitcoin address. The tweets were removed throughout the afternoon, shortly after being posted.
“The hackers ask users to send anywhere between 0.1 BTC to 20 BTC to a designated Bitcoin address and that they’ll double victims’ money,” explained Satnam Narang, Staff Research Engineer, Tenable. “This is a common scam that has persisted for a few years now, where scammers will impersonate notable cryptocurrency figures or individuals. What makes this incident most notable, however, is that the scammers have managed to compromise the legitimate, notable Twitter accounts to launch their scams. Because the tweets originated from these verified accounts, the chances of users placing their trust in the CryptoForHealth website or the purported Bitcoin address is even greater.”
Narang further added that this is a fast moving target and so far over $50,000 has been received by the Bitcoin address featured on the CryptoForHealth website and in Elon and Bill Gates’ tweets. “We strongly advise users never to participate in so-called giveaways or opportunities that claim to double your cryptocurrency because they’re almost always guaranteed to be a scam,” Narang said.
There have been hacks of high-profile individual accounts on Twitter before, including Twitter chief executive Jack Dorsey last year. But the widespread nature of this attack suggested an unusually broad access to internal controls. While it was unclear how the attacks originated or why they went on for hours, some cybersecurity experts speculated that someone may have gained access to internal Twitter controls that allowed them to take over and post on the accounts.
“While the origins and scope of this pervasive attack are under investigation, the coordinated Bitcoin giveaway scam itself was designed to convince millions of Twitter followers to believe the fraudulent tweets, click the link, and pay Bitcoin,” said Loïc Guézo, Senior Director of Cybersecurity Strategy, EMEA at Proofpoint. “People are still a main focus for threat actors, even in scenarios where a system is possibly compromised. The social engineering featured in this scam demonstrates that the attackers targeted Twitter employees with access to internal tools and preyed on the trust associated with verified accounts and the attraction of doubling your money. To make the scam seem more authentic, they even set a time limit and an easy payment option to drive a swift response. Threat actors understand human nature and are unrelentingly focused on taking advantage of our society’s trust in digital channels.”
The attack also partially shut down the network. Twitter said in a tweet that some users weren’t able to tweet while it was addressing the incident. Users with the checkmark indicating that their accounts were verified by Twitter reported that they weren’t able to tweet. Twitter started letting verified accounts tweet again yesterday night but warned the “functionality may come and go” as it worked on a fix to the breach. Later the same night, Dorsey tweeted that the company was “diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.” He called it a “tough day” at Twitter.
“Until we know exactly how these scam tweets were sent, it’s difficult to suggest what actions you might take, particularly given that access to services such as password changes (and presumably also changing details such as two-factor authentication numbers) is being restricted,” explained Paul Ducklin, principal research scientist, Sophos. “However, these scammers will only succeed if people fall for their unlikely messages – which rely on people suspending their disbelief simply because the tweet comes from a celebrity or someone they are inclined to trust.”
Twitter said in a later tweet that it “detected a coordinated attack by people who successfully targeted some of our employees with access to internal systems and tools.” The hackers used that access to take over the accounts. The breach will create major optics challenges for Twitter, and it will make it more challenging moving forward to verify the authenticity of messages on the service, cybersecurity experts warned. That could have wide-reaching implications for politicians, celebrities and brands that use Twitter as an essential channel for communication.
Some of the people who were hacked indicated that they had turned on two-factor authentication and were using strong passwords, which typically makes unauthorized account access much more difficult. Meanwhile, Uber’s corporate account posted a tweet that read, “Due to Covid-19, we are giving back over $10,000,000 in Bitcoin! All payments sent to our address below will be sent back doubled.”
Uber confirmed in a tweet that its account had been hacked. “Like many others, our @Uber account was hit by a scammer today. The tweet has been deleted and we’re working directly with @Twitter to figure out what happened,” the company’s communication team tweeted. Then came a tweet from Amazon CEO and Washington Post owner Bezos’s account. “I have decided to give back to my community.” The tweet said it would be limited to $50 million.
Twitter said in tweets Wednesday night that it had “locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.” Meanwhile, the company is internally limiting access to tools while it investigates what happened.