Recently, a 17-year old hacker from Tampa, Florida was charged with multiple felonies.
The teen is the mastermind of the recent high-profile hack of Twitter.
The hack targeted celebrity Twitter users including Apple, Elon Musk, Joe Biden, and Barack Obama.
It worked like this…
All the hacked accounts posted messages promoting a Bitcoin wallet.
Along with the wallet, each included a Twitter post claiming “All Bitcoin sent to the address below will be sent back doubled!”
As hard as it is to believe, people fell for the ruse…
And the teen allegedly made more than $100,000 from the cryptocurrency scam.
Now the hacker faces one count of organized fraud (over $50,000) and 17 counts of communications fraud (over $300).
So, how did a teen pull off a hack on one of the largest, most popular social media sites?
In the end, the hacker used Twitter’s own internal administrative tool to access the accounts.
First, the hacker targeted a small number of Twitter employees.
These employees were contacted through a phone phishing attack, also known as “vishing” or “voice phishing.”
The successful vishing attack yielded employee credentials, giving access to Twitter’s internal network and internal support tools.
Using these internal tools, the hackers targeted 130 Twitter accounts, sending the dubious “tweets” from 45 of the accounts.
Here’s why this is important…
Recently, the FBI warned the private sector of “voice phishing” campaigns.
And in the last month, dozens of companies have been targeted through vishing.
Cybercriminals are calling corporate employees to get them to hand over login credentials.
In some cases, the hackers pose as members of the victim company’s IT help desk.
The attackers appear to be young and English-speaking.
Next, they use their knowledge of the employee’s information to gain their trust and steal their information.
The FBI advisory says they are not only calling their victims…
The hackers are also setting up mock virtual private network login pages.
They’re exploiting the fact that people continue to work from home because of the coronavirus.
And with so many people working from home, cyberattacks will only increase.
So, with that being said, here are some steps to help keep you safe from these latest vishing scams.
Misspellings.
If you receive an e-mail or phone call from work telling you to use a new website, be sure to verify it first.
Take a second look at the new website.
Make sure the spelling seems correct and matches your company information.
For instance, did the e-mail come from the correct @name.com domain address?
Double-check all web links and domains before you ever think of clicking them.
To be on the safe side, pick up the phone and ask your boss or another co-worker if the information is legitimate.
Bookmark websites.
Whether you are at home or in the office, use the bookmark feature provided by your internet browser.
Bookmark your corporate VPN URL and do not visit alternative URLs, even if someone calls and tells you to do so.
Unsolicited calls.
Be suspicious of unsolicited phone calls, or email messages, especially from unknown individuals claiming to be from a legitimate organization.
The key to a vishing scam is hackers will call an employee and hope to get some sort of login or company information.
So, if someone calls, claiming to be from your IT department, asking you to change your login process, obviously confirm it with your supervisor.
You should also try to verify the caller’s identity directly with the company.
Never provide information about the company structure or networks to an unknown, unverified person.
And do not provide personal information or information about yourself.
If you believe you’ve received a vishing call, document the caller’s phone number and the domain they tried to send you to.
Relay this information to your supervisor.
Use these tips to keep yourself from being victimized by this latest round of scams.