Security News > 2020 > July > Twitter says spear-phishing attack hooked its staff and led to celebrity account hijack
Twitter has offered further explanation of the celebrity account hijack hack that saw 130 users' timelines polluted with a Bitcoin scam.
"The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack," says a July 30 update to Twitter's incident report.
"A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools," Twitter's security folk explain.
"Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes."
Twitter has not explained what it means by "Phone spear phishing." SMS is a known phishing vector, and a link sent as a text that induced Twitter staff to use their credentials is not hard to imagine.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/07/31/twitter_spear_phishing/
Related news
- Midnight Blizzard Escalates Spear-Phishing Attacks On Over 100 Organizations (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- GenAI makes phishing attacks more believable and cost-effective (source)
- CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security Force (source)
- Inside the incident: Uncovering an advanced phishing attack (source)
- Ongoing phishing attack abuses Google Calendar to bypass spam filters (source)