Twitter hack highlights dangers of phone spear phishing
August 20th, 2020 by Sam Cobley
Last month Twitter revealed that hackers had used phone spear phishing attacks to target the accounts of 130 people including CEOs, celebrities, and politicians. The hackers successfully took control of 45 of those accounts and used them to send tweets promoting a basic bitcoin scam which reportedly netted them more than $120,000 (£90,000).
The attackers had called Twitter employees using false identities and tricked them into handing over credentials that gave them access to an internal company tool that let them reset the passwords and two-factor authentication setups of targeted user accounts.
Phone spear phishing,” also sometimes known as “vishing,” for “voice phishing,” is a form of social engineering. It’s not a new practice, but until recently the attacks were concentrated on phone carriers, largely in the form of “SIM swap” attacks in which a hacker would convince a telecom employee to transfer a victim’s phone service to a SIM card in their possession. They would then use that phone number to intercept two-factor authentication codes, or as a starting point to reset the passwords to cryptocurrency exchange accounts.
The massive rise in remote working due to the COVID-19 pandemic has made phone-based social engineering far more powerful, and therefore businesses far more vulnerable to this type of attack than ever before.
How does it work?
A typical phone spear phishing works like this;
- Hackers scrape LinkedIn and corporate websites in conjunction with other data collection tools to build up a picture of the internal structure of an organisation. They use this knowledge to target predominantly new and inexperienced employees as they are easier to trick.
- The hackers then use a VoIP service to spoof their phone number. They attempt to establish trust with the victim by referencing seemingly private data such as the victim’s role at the company, their start date, or the names of their co-workers. In some cases, they’ll even ask the victim to check that they are who they say they are by looking them up in the company directory or collaboration software.
- When the victim seems convinced the scammer asks them to navigate to a fake login page, usually for a single sign-on portal like Duo or Okta—and enter their credentials.
- The hacker can see those details and enters them into the real login page at the same time. The real login page then prompts the victim to enter their two-factor authentication code. When the user enters the code into the fake site the hackers can also see it, and enter it into the real login page, allowing them to take over the account.
- The hackers’ fake login site, unlike the ones linked to in a phishing email, are normally created just for that one specific phone call. Once the hackers have stolen the victim’s credentials the site is taken down immediately. The vanishing website and the lack of email evidence makes this sort of phone-based engineering harder to detect than traditional phishing.
What can you do?
Some technologies, such as FIDO tokens and client certificates, can help defend against phone spear phishing, however the best protection is to ensure your staff are properly briefed. Make sure you explain the tactics that attackers will use to trick them and what a typical attack will look like. It’s also important to remind staff what your IT team will and won’t ask them for. If employees are ever unsure about the legitimacy of a call from IT, tell them to hang up and call the IT team back on the usual number.
