July 30, 2020

Twitter Phone Spear Phishing Attack

Lookout Recommendation for Admins

Lookout Phishing and Content Protection inspects any URL requests, including corporate and personal email, SMS, messaging apps, and Apps containing URLs that download malicious plug-ins. Lookout dynamically blocks URL requests for websites identified by Lookout as malicious and phishing.

Lookout admins can force activation of Phishing & Content Protection by not allowing employees to access corporate apps and data without having it turned on.


On July 15th, 2020, Twitter experienced a security incident where a malicious actor gained access to the back-end account management console through a phone spear phishing campaign. The incident affected the accounts of 130 highly influential individuals, including Barack Obama, Bill Gates, Elon Musk and Kanye West. The attacker then tweeted a link to a Bitcoin wallet address promising to send $2,000 back to anyone that sent them $1,000.

Phone spear phishing is a form of phishing that targets individuals on smartphones using social engineering to lure them to tap on a phishing link. Successful phone spear phishing attacks typically use social engineering through mobile apps like Twitter, Facebook, WhatsApp rather than email. These campaigns exploit human vulnerabilities and smaller screens on smartphones to bypass legacy security tools.

How Does it Work?

What’s important to understand is that the Twitter employees that were originally targeted weren’t necessarily the ones with administrative access. This means the attacker moved laterally and gained access to privileged credentials.

Twitter’s report states the “[attackers] used their [employees’] credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.” Seeing that this was a two-step process shows that this was a sophisticated attack with a very specific plan of action.

This attack adds to the increasing trend of phishing campaigns targeting mobile. Malicious actors leverage mobile because it’s more difficult to spot a phishing attempt on a mobile phone due to the smaller screen, the inability to see the full URL in the mobile browser, and lack of awareness on how to safely preview where a link is sending you before you tap it.



Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Threat Type
Entry Type
Threat Guidances
Platform(s) Affected
Threat Guidances

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.