In the past few weeks, a number of high-profile social media accounts, predominantly of journalists, have been hacked by Turkish-speaking attackers. The takeovers represent an even more sinister turn in the world of account hijacking, demonstrating the iceberg below the surface when it comes to breaching accounts.
The attacks appear to have begun with the Indian Ambassador to the UN, whose Twitter account was breached on January 13th. The President of WEF’s account was breached the following day, and on January 16th, two ex-fox news hosts, Eric Bolling and Greta Van Susteren (Figure 1), both began posting similar content to the previous victims. Fox News’ Brit Hume was breached on the 19th, followed by controversial former Milwaukee sheriff David Clarke Jr on the 22nd and Fox News contributor Sara Carter. All the above accounts have since been reclaimed by their owners.
The campaign, however is ongoing, and the most recent victims include James Rosen, former Fox News correspondent; Clyde Haberman, former New York Times columnist, Fred Kemp, CEO of the Atlantic Council; and PragerU, a right-wing media outlet; Bill Kristol, editor of the Weekly Standard; and Rob Reiner, an actor, producer, director and activist. This list will likely grow, and we advise social network users to be on the alert for malicious DMs. Journalists and members of the media should be particularly wary, as this campaign appears to target that segment most aggressively.
The attackers spread pro-Turkey and pro-Pakistan propaganda and change the user’s background image and bio. The attackers claim to be a part of “the Turkish cyber army Ayyildiz Tim” or AYT. The attacks look incredibly similar to the huge wave of attacks that occured on March 15th, 2017, when hundreds of high-profile accounts were breached via a vulnerability in the 3rd party app TwitterCounter, and subsequently covered in pro-Turkey, anti-Dutch propaganda.
Figure 1: ex-Fox News host Eric Bolling’s account after being breached by Turkish hackers.
However, compared to the TwitterCounter breach last year, these attackers are getting much more personal: they exploited direct messages (DMs) to both handpick the next target in the campaign as well as dox their victims. The attackers brag about having access to the DMs, often posting screenshots of the private exchanges, and subsequently using those messages to send phishing links to their next target (Figure 2). As such, the attacks demonstrate how easy it is to pivot once you’re inside the end target’s social network — in both senses of the term. Connected users have deeper access to each other’s accounts, privileged DM capabilities and, more importantly, a pre-verified trusted relationship. Compared to another favorite attacker tactic, impersonation, hacking into an account has the obvious benefit that messages originating directly from a legitimate user, drastically increasing the believability of the attack.
Attackers accessed the DMs between the former Fox News hosts and the President of the United States. What presumably started with an attack on the Indian UN Ambassador then exploited a trusted relationship to spread itself as far as Donald Trump, whose account has over 40 million followers. This occurred in a matter of days, again demonstrating how easy it is for hackers once they have successfully breached a single target.
Figure 2: Fox News contributor Sara Carter’s compromised accounts send a phishing link to NBC reporter Ken Dilanian in an attempt to propagate the attack.
The attackers use DMs to spread the campaign by sending phishing links from one breached account to the next target account, socially engineering the victim with language like “please read this important news.” The link redirects to a fake Twitter login page (Figure 2). The source code of the page contains Turkish words, supporting the conclusion that the attackers are indeed affiliate with the Turkish cyber army.
Using DMs to spread malicious content is nothing new, and we have seen countless instances of hackers messaging the customers of a breached brand account with phishing links or malware exploits. This is often the worst-case scenario for a business as the success rate is very high, it decimates customer’s confidence in the security of the organization and it drastically reduces customer engagement.
The attackers also used screenshots of the victims DMs as a form of doxing, bragging that the DMs had been “captured” and posting screenshots of private conversations. In one case, we can see that Greta Van Susteren had previous exchanges with the President (Figure 3), indicating there may be more content not yet released by the attackers. When it comes to social media, digging up private information on a target can be achieved by breaching their connections, something that businesses and governments alike should keep in mind. Sensitive data or confidential information can be stolen from a high-profile target, like the President or the CFO of a Fortune 500 company, without ever touching their accounts. These DMs could contain compliance violations, PII or other controversial content that the users never intended to see the light of day. For the users who were actually breached, keep in mind that because the account’s own DMs are being posted publicly, the doxxing is sure to have the maximum possible effect.
Figure 3: Attackers posted this screenshot of Greta Van Susteren’s compromised account sending links to the President.
Account hijacking is an increasingly common method for attackers to target an organization. They only need to breach a single low-level employee to leverage the network effect and get to more desirable targets. Organizations should provide social media protection and training for all employees, from the summer intern to the CEO.
Once again, what should be abundantly clear after this security incident is that social media accounts are crucial assets for modern businesses, governments, influencers, news organizations and their talent and executives. People, especially news anchors, are extensions of their organizations, and what happens to them reflects on the organization at large. We have seen these methods target athletes accounts, CEOs, celebrity influencers, major brands and much more. Social has long moved out of the realm of personal use, and businesses rely heavily on social media to advertise, engage customers, grow their brand and earn revenue.
Social media exploitation goes far beyond cyber vandals brute forcing passwords; it spans breached third party applications, malicious social engineering accounts, impersonations of brands and people, spear phishing and targeted malware campaigns, data leakage, fraud, scams and much more. We recommend individuals regularly change their passwords, yes, but this is just a Band-Aid on a weakening dam. Forward thinking security and brand protection teams will look below the surface and recognize the full scope of the growing, dynamic risk vector at hand. Businesses and governments must protect both themselves and their employees, who as spokespeople, often represent the business online.
ZeroFox recommends all social media users keep an eye out for suspicious DMs. Always verify a message is genuine by contacting the sender on a different channel, ideally one that uses a different login or verification method in case multiple accounts are breached. Members of the media ought to be particularly vigilant around this campaign.
As part of our FoxThreats program, ZeroFox has built a platform that applies artificial intelligence-based rules and automatically alerts businesses and individuals to these kind of phishing URLs. ZeroFox customers have been protected from this specific attack since it first surfaced on January 17. To learn more about the ZeroFox Platform, visit our website.