by Jitendra JOSHI and Erwan LUCAS in Paris
The hack at Twitter raises serious questions about in-house security at Donald Trump’s favourite social media platform but, experts say, also threatens malign consequences for the integrity of November’s US presidential election.
Here is what we know so far after hackers took over the Twitter accounts of an array of political and business leaders — including Democratic White House candidate Joe Biden — apparently as part of a bitcoin scam:
– What happened? –
Twitter says it is still investigating but believes it fell victim to “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools”.
“Social engineering” describes fraudsters trying to manipulate their targets into divulging confidential information. Twitter’s admission means that even IT-savvy staff at one of the world’s best known internet companies are not immune.
Citing web screenshots and two anonymous sources apparently behind the hack, Vice reported that a Twitter insider was responsible. One of the sources told the media group they had paid the employee.
“That (Vice report) is deeply troubling as these platforms have such influence,” said professor Alan Woodward, of the Centre for Cyber Security at the University of Surrey in Britain.
“It maybe suggests that no one person should be able to use these internal tools: it’s more difficult to bribe four eyes than two,” he told AFP.
– What’s the impact been? –
Limited, thus far. Twitter reacted quickly to deactivate the targeted accounts, delete the hoax messages and stop their onward transmission.
The fake posts said people had 30 minutes to send $1,000 in bitcoin to receive twice as much in return.
A total of 12.58 bitcoin — worth almost $116,000 — were sent to email addresses mentioned in the fraudulent tweets, according to Blockchain.com.
Gerome Billois, Paris-based cybersecurity expert for the consultancy Wavestone, said early indications were that “at least one person has in recent days been trying to hawk access to individuals’ certified accounts on the dark web, without success”.
“It seems therefore that they decided to exploit the accounts themselves to try to make a quick buck,” he said.
– What about longer term? –
That is what worries the experts more. If hackers could take over top-ranking accounts for small personal gain, they could also strive to subvert democracy itself.
“We should worry. It seems the hacking at Twitter was in-house,” commented Professor Anthony Glees, security and intelligence expert at the University of Buckingham.
“But if I were in Russian or Chinese or Iranian intelligence, I would be thinking about getting hold of somebody who works at the business to hire them,” he said.
Even if internet companies respond swiftly, as Twitter appears to have done, hacked messages can do serious financial damage to victims in a short space of time.
“But politically, a fake or hacked tweet at a critical time could have a huge impact. Someone getting in there at the right time with the right kind of misinformation could absolutely sway the (November) election,” Glees told AFP.
– How can we protect ourselves? –
The normal rules of good online housekeeping still apply: be wary of fake web links or “phishing” messages designed to extract financial data, create strong passwords, use two-factor authentication to log in wherever possible.
The trouble is, none of that helps when a company’s own internal systems are penetrated, as happened with Twitter. So plain common sense was the best protection against the bitcoin hackers hawking a get-rich-quick scheme.
They used easy-to-spot “pressure tactics — by stating the deal would be open only for the next 30 minutes — and honeypot tactics to appeal to the desires of users, the potential for financial gain,” said Vic Harkness, associate consultant at F-Secure.
“Potentially they could have made much more money by manipulating the prices of stocks, or could have pushed a political agenda,” she said.