Account hacking can happen to anyone. While we often associate it with friends and relatives that tend to click on any link and accept any friend request they come across, account takeover tactics have become increasingly sophisticated, affecting even the most security and social media savvy users. Corporations and executive accounts are often top targets for these types of attacks because they serve as a gateway to conduct further attacks, brag about your capabilities or to sell the account usernames on underground forums. Therefore, security teams should handle the protection of these accounts within their larger asset inventory and security program. Want the proof that account hacking can happen to anyone? Case in point: on August 30, 2019 Jack Dorsey, the CEO of Twitter, had his Twitter account hacked.
Twitter Account Takeover: What Happened
In an attack that lasted only a few minutes, the hackers were able to send dozens of threatening and offensive tweets to the over 4 million followers @jack provided access to. The attack was conducted by cyberactor group, ChucklingSquad, who had been on an account takeover streak for the two weeks leading up to @jack’s hack. Other accounts affected include influencers Amanda Cerny, Etika and Shane Dawson.
So how did this group gain control of arguably the most important account on Twitter? Through Dorsey’s phone number via a SIM swap attack. The actors contacted Dorsey’s mobile provider and convinced them that they should transfer the SIM capability from Dorsey’s phone to a phone they controlled. By gaining access to the mobile device, the group was able to post tweets on @jack’s behalf via text message. Using the phone number that they just took over, SIM Swappers can easily reset passwords, take over accounts and in this case, post on behalf of the victim.
How to Protect Accounts from Takeover
When a social media account is hacked, the account owner is often left unsure of what actions to take to regain access to their account and prevent future attacks from occurring. Further, account hacking of executive or corporate owned accounts represents real risks to organizations, from both a reputation and security standpoint. It’s important that security teams recognize this risk and include social media accounts as part of their asset inventory. Using a combination of precautionary security tactics and a solution like ZeroFOX creates a robust account protection solution.
- Set up two factor authentication for all social media accounts, both personal and corporate. Rely on two factor authentication through an app rather than your phone. This takeover incident shows the risks in relying on SMS two factor authentication, which is susceptible to SIM swap attacks.
- If two factor authentication fails, use a technology like ZeroFOX to detect unauthorized posts.
- This can be done via Application Monitoring (Cloudhopper, the SMS app, should never be authorized)
- This can be done via Self-Post detection, such as detecting language that would not be used by the protected organization or account owner, or if someone is posting an unauthorized link
- This can be done via Account Information change, such as a bio, profile picture or banner picture change
- Use a “Lockdown” technology to minimize impact
- If 2 happens, then kick in a lockdown mode to automatically remove posts once the mode kicks in and freezing the account to prevent further damage
- With ZeroFOX, you can issue an automatic delete/alert if unauthorized or offensive content is posted by owned accounts
Timeline: Incident response for Digital Risk Protection
Within minutes of the hack, Alpha Team was engaged with helping customers achieve protection and remediation from this specific style of attack. The team pushed out new indicators of compromise into our Foxscript rule-engine for our Account Protection customers and it was deployed in less than 45 minutes. The team also provided customer communication on how to enable account protection in the platform, and how to setup remediation of the posts if their accounts were using the “Cloudhopper” app to post without authorization. Our 24/7 SOC operations team was briefed on the incident and had escalation mechanisms already in place to respond quickly and efficiently to any potential account takeover attacks for our customers.
Lastly, Alpha Team setup Foxscript rules for monitoring the actors across our myriad of data sources. They rendered a report the following morning to help inform customers of the risk and impact of this attack, with recommendations on how our current customers could adjust their security postures. The full report was made available immediately for current customers and partners, and we are now releasing it for the general public.
See the full report
For more information on the Twitter account takeover, see the full ZeroFOX Alpha Team report in the ZeroFOX Platform and publicly here.
Account takeover affects corporations, high profile figures and everyday individuals. Make sure you have a plan in place to protect accounts and prevent further damage when hacking occurs.