Twitter recently experienced one of its most notable breaches. On July 15, an unauthorized party entered its backend infrastructure and gained access to 130 accounts belonging to high-profile individuals such as Barack Obama, Kanye West, Bill Gates and Elon Musk. The attackers stole more than $100,000 by tweeting out Bitcoin phishing scams and snatched data from some of the handles.
Barack Obama’s Twitter handle tweeting out a Bitcoin scam as part of the Twitter breach from July 15, 2020
So how did this happen? Twitter acknowledged that this was a result of a phone spear phishing attack affecting an unknown number of its employees through which the attackers gained access to the company’s infrastructure. A phone spearing attack is a form of phishing that targets specific individuals on smartphones using social engineering tricks to lure the victims into giving up sensitive information.
Unfortunately, it sometimes takes high profile breaches such as this one for the world to pay attention to an issue. But what you should take away from the incident is that phishing attacks targeting tablets and smartphones are not the same as the traditional email-based scams. Mobile phishing is much more widespread and dangerous.
Why target employees through their phones?
There are a number of actors that make phones and tablets lucrative for attackers. For one, employees can easily access corporate data from their mobile devices. Especially as all of us continue to work away from the office, these devices provide us the flexibility to stay productive while juggling responsibilities at home. So it is in the best interest of employers to make sure its data is accessible. The challenge is that this makes mobile devices a potential point of entry for attackers into your organization's data.
The other factor is that each of us trust our phones and tablets a lot, and it’s much more difficult to distinguish between real messages and phishing scams. My smartphone, for example, is something I carry around with me all the time. It’s the device I communicate with my family, friends and colleagues. So naturally I would interact with it with confidence. The problem is that, due to its smaller screen and simplified user experience, mobile devices make it much harder to tell whether a message from say SMS, WhatsApp or Twitter is legitimate. Unlike looking at email messages on a desktop computer, you can’t always see the sender’s address or the full link prior to clicking.
In the case of Twitter, it’s likely that the attackers chose to target phones because of those reasons. In addition, an employee at a tech company is likely to do everything on their smartphone.
The phone spear phishing attacks were successful, and the cybercriminal were able to move laterally and gain access to Twitter’s account management infrastructure. Once the attackers had privileged access, they were able to manipulate the various Twitter accounts.
Why is this a big deal?
Phishing attacks have evolved as smartphones and tablets become an integral part of every employee’s personal and professional lives. This is not going to change any time soon, especially as all of us continue to work from home. As I’ve written about in the past, mobile phishing spiked by nearly 40 percent in the first three months of 2020 when everyone started working from home. It’s very likely that this will continue because cyber criminals know these attacks are effective.
At the time of publishing this blog, we still don’t have all the details from Twitter. That being said, this should be a wakeup call to organizations that they need to put mobile devices at the center of their overall security strategy. Your employees’ phones and tablets have as much access to your data as a laptop or desktop does because they need to stay productive. So it is critical to ensure your organization uses mobile endpoint security to protect against these attacks.
Take advantage of these resources to learn more about how you can protect your organization from mobile phishing attacks. In case you are paranoid about being phished, the full link is https://www.lookout.com/phishing.