LAST July 15, the official Twitter accounts of major personalities were hijacked. Elon Musk, former U.S. president Barack Obama and Apple sent out Tweets about doubling the amount of bitcoins users will send to “fight COVID-19.”
The attack was to date the most severe on Twitter and any social media platform because it involved powerful and influential people, and was able to amass about $120,000 because of fraudulent claims made while falsely representing people like Musk and Bill Gates.
“Hacking into popular accounts to publish scam messages isn’t a new practice, neither is the doubling the donation scam. What is curious in this case is the scale of the attack and the fact that the actor completely took over the verified accounts – their emails have been changed, so the owners aren’t able to get access back quickly enough,” commented Dmitry Galov, a security researcher at Kaspersky.
The amount of money siphoned into the cryptocurrency account of the hacker in just a few hours indicated how successful the scam was.
“This scam was extremely effective – the amount gathered from the victims now equals over 120 000 USD, and this is just in one day. I think there are two major takeaways from this incident. First, users need to be aware of scams and stay cautious on social media; they need to be able to recognize them. Second, we need to be extra careful with our online assets-anything critical has to have, at a minimum, two-factor authentication,” added Galov.
Though cybersecurity is a top priority of all major social media platforms, it is difficult to manage internal disruptions. Surely Twitter has put a lot of effort into preventing many attacks, which happens almost every day. However, neither websites nor software are entirely immune to malware or viruses. And it is definite that the human factor immune to mistakes–and is, therefore, the weakest link.
This means any native platforms might be compromised.
“This major scam highlights the fact that we are living in an era when even people with computer skills might be lured into scammers’ traps, and even the most secure accounts can be hacked. According to our estimates, during the two hours of the attack, at least 367 users transferred the big bulk of crypto-cash to attackers,” Galov explained.
The Kaspersky expert said that today new attack vectors and scams combine old and effective techniques, use a surprise element, and gain people’s trust to facilitate the attack and lure victims into a trap.
For instance, it might be a mixture of supply chain attacks with social engineering. In addition, the threat actors might gain access to victim’s account in other ways. For instance, they might penetrate a third-party app with access to the user’s profile, or users’ passwords might be brute-forced.
“However, we urge everyone not to panic and simply accept a new mindset: social media account users require a responsible approach and thorough protection, but we are not lambs to the slaughter. This incident might mean we all need to take some time to reassess our approach to our relationships with social media and accounts’ security, but once we do so, it will become evident that we possess knowledge and instruments to recognize even the most elaborate scam and minimize its impact,” Dmitry Bestuzhev, cybersecurity expert at Kaspersky said.
To recognize scam in social media, Kasperky experts recommend to keep in mind the following tips.
- The most important element of every scam is a time limit. Not only that it prevents a victim from conducting a thorough check on the matter, but it also adds some psychological pressure on the user, making it easier for them to overlook details.
- Being afraid of missing a great opportunity, even the most careful people might be seduced into taking a risk and falling for attackers’ trick.
- In this case, the scam has also been thoroughly tailored to the personality of the owner or the tone of voice of the hacked account, which made it seem legitimate. Criminals might even go further and illustrate the scam with an authentically looking design or use deep fakes.
- One must always keep in mind that official campaigns or even individual initiatives of such scale always have prescriptive documents to support even the briefest promo offer, and are placed outside of social media. In addition, the financial part is usually more transparent and not tied to private bitcoin wallets.
- Remember, that it is highly unlikely that any official enterprise or established individual will ask you to transfer money, even to return them later, even as a joke, due to possible issues with taxes and financial reporting.
To maximize the protection of your account in social media, keep in mind:
- While it is absolutely essential to have a strong password, it should also be unique, so that if other website leaks your credential, your accounts remain safe. To create safe and complicated password to each website, use memory techniques or a password manager.
- Use two-factor authentication, when login and password need to be confirmed by entering a special code. Furthermore, consider using not a text message to receive this code, as it can be hijacked, but an app that generates such codes. Alternatively, use a physical key, connected to the separate device through USB-cable or NFC.
- Another security measure that needs to be taken – is a thorough review of the apps that have access to the twitter account. They can be found in twitter account settings. We recommend revoking access to your account from all of them, or the ones that you don’t consider thoroughly protected so that in case of their hack your account can’t be reached.
- Start using “Privacy Checker” to help make your social media profiles more private. It will make it harder for third parties to find highly personal information.