A vishing campaign could have been behind Twitter’s recent hack, which saw many high-profile accounts taken over by attackers.

In July, 130 Twitter accounts, including Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Kanye West and Kim Kardashian, were compromised and used to promote a Bitcoin scam.

Attackers used the accounts to send tweets asking for Twitter users to send Bitcoin to a cryptocurrency wallet, which would then be doubled. The inboxes and Twitter data belonging to some of the affected accounts was also accessed.

Twitter said that the breach was the result of “a small number of employees” being targeted through a phone spear phishing attack, with attackers able to obtain employee credentials.

Researchers from social media security company ZeroFOX believe it is “probable” that the recent Twitter breach was the result of a vishing campaign.

What is vishing?

Vishing, or voice phishing, refers to a type of attack in which victims receive fraudulent phone calls or voice messages from attackers claiming to be trusted companies. Scammers use this type of attack to extract personal details, financial information or passwords, or direct victims to malicious websites.

Vishing attacks have become easier to carry out due to voice over internet protocol (VoIP) technology, which allows scammers to make calls over the internet rather than using a phone line. Automated systems, which can now imitate speech with increasing accuracy, have also added to the problem.

How the attacks work

Researchers from the  ZeroFOX Alpha team have been monitoring a large-scale vishing campaign targeting financial institutions, cryptocurrency exchanges, telecommunication companies and single-sign-on (SSO) providers as well as public platforms such as social media, websites and code sharing sites, shedding some light on how the Twitter breach could have been carried out.

They found that attackers carry out large volumes of research on both organisations and individual employees in order to execute convincing social engineering attacks and also determine the types of tools and software the company uses.

They then call victims and direct them to a phishing site specifically designed with the individual’s company in mind, and often including the company’s SSO portal.These websites often have a TLS certificate, making them more convincing.

Once the victim logs into the site, and enters their two-factor authentication code, the attacker can then access internal tools and dashboards using these details. The researchers believe that attackers were able to infiltrate Twitter’s internal administrative panel and then take over the affected accounts.

In order to be better protected against this type of attack, ZeroFOX recommends organisations adopt “training and education, monitoring and pre-emptive blocking of problem domains, SSO auditing, and employing role-based access best practices for internal panels”.

The State of Technology This Week


Read more: Twitter results show 34% growth in users after “action-packed” few months.