Who's Behind Wednesday's Epic Twitter Hack? (krebsonsecurity.com) 75
Brian Krebs has written a blog post with clues about who may have been behind yesterday's Twitter hack, which had some of the world's most recognizable public figures tweeting out links to bitcoin scams. An anonymous reader shares an excerpt from the report (though we strongly recommend you read the full analysis here): There are strong indications that this attack was perpetrated by individuals who've traditionally specialized in hijacking social media accounts via "SIM swapping," an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target's account. In the days leading up to Wednesday's attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers -- a forum dedicated to account hijacking -- a user named "Chaewon" advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece. "This is NOT a method, you will be given a full refund if for any reason you aren't given the email/@, however if it is revered/suspended I will not be held accountable," Chaewon wrote in their sales thread, which was titled "Pulling email for any Twitter/Taking Requests."
Hours before any of the Twitter accounts for cryptocurrency platforms or public figures began blasting out bitcoin scams on Wednesday, the attackers appear to have focused their attention on hijacking a handful of OG accounts, including "@6." That Twitter account was formerly owned by Adrian Lamo -- the now-deceased "homeless hacker" perhaps best known for breaking into the New York Times's network and for reporting Chelsea Manning's theft of classified documents. @6 is now controlled by Lamo's longtime friend, a security researcher and phone phreaker who asked to be identified in this story only by his Twitter nickname, "Lucky225."[...] But around the same time @6 was hijacked, another OG account -- @B -- was swiped. Someone then began tweeting out pictures of Twitter's internal tools panel showing the @B account. Another Twitter account -- @shinji -- also was tweeting out screenshots of Twitter's internal tools. Minutes before Twitter terminated the @shinji account, it was seen publishing a tweet saying "follow @6," referring to the account hijacked from Lucky225.
Cached copies of @Shinji's tweets prior to Wednesday's attack on Twitter are available here and here from the Internet Archive. Those caches show Shinji claims ownership of two OG accounts on Instagram -- "j0e" and "dead." KrebsOnSecurity heard from a source who works in security at one of the largest U.S.-based mobile carriers, who said the "j0e" and "dead" Instagram accounts are tied to a notorious SIM swapper who goes by the nickname "PlugWalkJoe." Investigators have been tracking PlugWalkJoe because he is thought to have been involved in multiple SIM swapping attacks over the years that preceded high-dollar bitcoin heists. Now look at the profile image in the other Archive.org index of the @shinji Twitter account (pictured below). It is the same image as the one included in the @Shinji screenshot above from Wednesday in which Joseph/@Shinji was tweeting out pictures of Twitter's internal tools.
This individual, the source said, was a key participant in a group of SIM swappers that adopted the nickname "ChucklingSquad," and was thought to be behind the hijacking of Twitter CEO Jack Dorsey's Twitter account last year. The mobile industry security source told KrebsOnSecurity that PlugWalkJoe in real life is a 21-year-old from Liverpool, U.K. named Joseph James Connor. The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year. He added that PlugWalkJoe has been unable to return home on account of travel restrictions due to the COVID-19 pandemic. [...] If PlugWalkJoe was in fact pivotal to this Twitter compromise, it's perhaps fitting that he was identified in part via social engineering.
Hours before any of the Twitter accounts for cryptocurrency platforms or public figures began blasting out bitcoin scams on Wednesday, the attackers appear to have focused their attention on hijacking a handful of OG accounts, including "@6." That Twitter account was formerly owned by Adrian Lamo -- the now-deceased "homeless hacker" perhaps best known for breaking into the New York Times's network and for reporting Chelsea Manning's theft of classified documents. @6 is now controlled by Lamo's longtime friend, a security researcher and phone phreaker who asked to be identified in this story only by his Twitter nickname, "Lucky225."[...] But around the same time @6 was hijacked, another OG account -- @B -- was swiped. Someone then began tweeting out pictures of Twitter's internal tools panel showing the @B account. Another Twitter account -- @shinji -- also was tweeting out screenshots of Twitter's internal tools. Minutes before Twitter terminated the @shinji account, it was seen publishing a tweet saying "follow @6," referring to the account hijacked from Lucky225.
Cached copies of @Shinji's tweets prior to Wednesday's attack on Twitter are available here and here from the Internet Archive. Those caches show Shinji claims ownership of two OG accounts on Instagram -- "j0e" and "dead." KrebsOnSecurity heard from a source who works in security at one of the largest U.S.-based mobile carriers, who said the "j0e" and "dead" Instagram accounts are tied to a notorious SIM swapper who goes by the nickname "PlugWalkJoe." Investigators have been tracking PlugWalkJoe because he is thought to have been involved in multiple SIM swapping attacks over the years that preceded high-dollar bitcoin heists. Now look at the profile image in the other Archive.org index of the @shinji Twitter account (pictured below). It is the same image as the one included in the @Shinji screenshot above from Wednesday in which Joseph/@Shinji was tweeting out pictures of Twitter's internal tools.
This individual, the source said, was a key participant in a group of SIM swappers that adopted the nickname "ChucklingSquad," and was thought to be behind the hijacking of Twitter CEO Jack Dorsey's Twitter account last year. The mobile industry security source told KrebsOnSecurity that PlugWalkJoe in real life is a 21-year-old from Liverpool, U.K. named Joseph James Connor. The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year. He added that PlugWalkJoe has been unable to return home on account of travel restrictions due to the COVID-19 pandemic. [...] If PlugWalkJoe was in fact pivotal to this Twitter compromise, it's perhaps fitting that he was identified in part via social engineering.
Re:Backdoor (Score:5, Funny)
Didn't quite make it through the summary, did you.
Re: (Score:3)
the summary doesn't provide much to be honest.
I find it far more likely they were just paying some customer service dude for access to change the emails for the accounts than that anything was hacked straight up.
look, it's the same idea as a sim-cloning so the same dudes might be involved, only you don't need to con the customer service rep, you just pay straight up money to the dude.
the real shitstorm part for twitter is that they had no separate system that would disallow anyone from changing email addres
Re: (Score:2)
Take away the fools' fake money, too. (Score:2)
Please don't feed the trolls by propagating BS FP Subjects. (Plus I'm now wondering if there is any connection between vicious and destructive trolls and the recent malaise of Slashdot.) Now on to the actual story:
(1) People are easily fooled. The root of the problem remains same as it ever was. Quite serendipitously, I just read Cyberpunk and we've learned nothing about solving social engineering problems. If anything, the problems are worse in this New Normal Age of YUGE Liars. (How can anyone still be
Re: (Score:2)
Whoops, The parenthetic note for (1) should have included my bad joke of the day: "Give me liberty from face masks or give my granny death by Covid-19!"
Re: (Score:1)
It wasn't just that grandparent murderer Cuomo in NY who did this shit.
The curve was flat 2 months ago. Mortality rate keeps plummeting as more asymptomatic cases are found.... but you keep panicking, and cheer-leading against th
Public masturbation of 622952 (Score:2)
Z^-1
Re: (Score:3)
"The Admin Did It", or "Somebody Talked The Admin Into It" just feel like some shaggy dog, simple explanation solution that gets puked up when they really don't want to say what happened
Companies train their admins and would have to have backup in place or this kinda stuff would be happening all the time
If iâ(TM)m reading this right... (Score:4, Interesting)
It was cowboy neil (Score:1)
Krebs (Score:2)
Twitter? What about SlashDot? (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Probably just a disk failure or something. Haven't noticed any more spam than usual or attacks on my other accounts.
My first thought was back to that time when comment IDs overflowed but then I had a vague memory of something like this happening during the Dice era.
Re: (Score:2)
If you're right, then slashdot is 100% automated, and more than likely some bloke at the data center that hosts the hardware is the only human involved.
Re: (Score:2)
No way. They've been making changes lately. I noticed because the long-ass delay after hitting submit came back without me making any config changes on my end. They made some change, didn't do [adequate] testing, and the site blew up.
Re: (Score:2)
I've noticed the delay after posting as well. I thought maybe it was an ad auction or something because the page half loads and then stops. Who knows.
Re: (Score:2)
Well it did stop working right as the thread IDs hit the 24bit limit so it could certainly be another overflow issue
Re: (Score:2)
The CIA (Score:3)
This is a test. This is only a test. If this had been an actual emergency the FBI would have left a message here.
I know who it was (Score:3)
Re: (Score:2)
It does seem rather amateurish. Given the immense power they had the best they could think of doing was stealing some Bitcoins. Apparently they made around $100k but of course now have to try to launder it.
Re: (Score:2)
To me seems like the bitcoin scam was just a smokescreen.
Re: I know who it was (Score:2)
Nah. It's the best we are made aware of. Who knows how many DM's or other interesting stuff they got their hands on.
Btw, anyone notice Twitter uses Blacklist instead of Blocklist?
Re: (Score:2)
Re: (Score:1)
Nah. It's the best we are made aware of. Who knows how many DM's or other interesting stuff they got their hands on.
The "Trends Blacklist" item on the Admin panel screenshot is interesting, since Jack claimed in front of Congress that the Trends are determined by algorithm and the company doesn't manipulate them.
Re: (Score:2)
It is Twitter! No actual human cares! (Score:3)
Much of the mass media ... for some reason ... cares.
Twitter is a PR platform. You can tell actual news sources from fake news PR proxy clickbait gonzo newstrash by the latter mentioning Twitter.
Re: (Score:2)
yes, "blah blah blah bitcoin" always makes the media wonks sit up and drool.
Its a shame really, they hackers could have posted Jack announcing his full support for Trump in the upcoming elections and then you'd have seen a meltdown. Jack saying "buy bitcoin", pathetic really when they could have hidden the other accounts pumping the bitcoin behind a full media focus on outrage.
Re: (Score:2)
You can tell actual news sources from fake news PR proxy clickbait gonzo newstrash by the latter mentioning Twitter.
That may be, but it has now long been commonplace for the MSM to report on shit being said on Twitter. Major news outlets report on Twitter feuds between celebrities, for example. As if we didn't already have enough signs of the MSM's impending doom, being reduced to reporting on Twitter is the seventh.
Infirmative (Score:1)
Re: (Score:2)
Epic? (Score:1)
I'd reserve that word for things more important than that blue-check circlejerk site,
Want to know the really scary side of this? (Score:2)
Imagine if the tweet posted on Elon Musks account had not been about twitter, but a serious update on a flaw in Tesla vehicles?
A message along the lines of a serious flaw that could lead to an explosion.
Sure, you could easily find out whether this was true, just by a cursory search - but how many people, these days, bother to do this?
Worse still, the POTUS account is hacked and a message that causes a serious international incident is posted. Yeah, the current guy in charge is capable of doing this himself,
Re: (Score:2)
* not been about bitcoin
Re: (Score:2)
Which makes it all the more funny, because given what could happen, it was used to make a rather pathetic amount of money - only about $100K.
Given what was involved, the hack itself was worth far more for those reasons - stock manipulation, international relations, etc. Hell, just being able to take over any Twitter account is probably worth more than $100K.
Oh well, all it really does is implant the idea that Bitcoins and other things rae just used for scamming people. All people hear are "bitcoin" and "sca
Re: Want to know the really scary side of this? (Score:2)
It has "mining" at its core. Making it by definition not legitimate.
No, you wasting electricity on literally pointless and useless calculations is not work and is not worth my work, so no, you cannot ever pay me with Bitcoin.
Choose a sane cryptocurrency.
- It must work completely offline. No necessity to go online later or ever. It must be as private as handing over cash/goods in a back room.
- It must hold actual worth. Only actual work, by a person, verifiable by anyone (like in science), qualifies. Nothing
Re: (Score:2)
just being able to take over any Twitter account is probably worth more than $100K
Then why is the market rate as quoted in the summary around $2500?
Re: (Score:2)
Which makes it all the more funny, because given what could happen, it was used to make a rather pathetic amount of money - only about $100K.
Given what was involved, the hack itself was worth far more for those reasons - stock manipulation, international relations, etc. Hell, just being able to take over any Twitter account is probably worth more than $100K.
You're still considering only the small gains. They compromised ALL the blue star accounts - they threw up the red herring of a BTC scam on the high profile ones, but blue star accounts are used by journalists to literally make up news in DMs, to talk to sources, to plot stories alongside politicians, etc. What this was was a leak of the messages driving the literal fake news, now no doubt held by China for the sake of controlling people in the US or outright kickstarting a civil war by dumping all the ma
Re: (Score:2)
Re: (Score:2)
If the hackers actually wanted that information, they wouldn't have posted it for a crappy bitcoin scam that alerted everyone to the problem. If they were smart, they'd use that access to actually harvest all that information over a period of a few days and then hold it for ransom at which point it's worth way more than $100K.
They got that information the moment they downloaded it, they didn't need to keep the backdoor to keep the logs of it and know what to go after next.
They would get in, grab all the data, and get out without making it obvious anything happened. This way the hole stays available to gather updates. Meanwhile, you can slowly use that information and make it such that no one knows where all that Twitter data came from.
Why? Damning blackmail is damning blackmail, once you have enough more doesn't do anything.
If it was done for the lulz, there's no banner stating it.
That's literally why they publicly stated that it was an insider and gloated about the haul in btc.
Re: (Score:2)
If you're getting your info from Twitter, and believe it without verification, this is literally the core problem... not what some hacked account might post on it.
Re: (Score:2)
Re: (Score:2)
Bitcoin fraud is basically a "victimless crime". The authorities aren't nearly as bothered by that as if something that affected corporate america and the 1% shareholders. The fraudsters were smart enough to at least not take money from those that would come looking.
Re: (Score:2)
It should be called anti-social engineering though (Score:2)
Or, even better fitting: Social abuse / mental abuse.
it was not trump personally (Score:1)
blacklists (Score:2)
So we can see that they do have blacklists for trending and searches.
Who's Behind It... ? (Score:2)
Who cares. And nothing of value was lost
Hell, in that case I'd figure out how to start a Go Fund Me to thank them!
Re: (Score:2)
> Who cares. And nothing of value was lost ... even if they got all accounts or managed to erase the system.
You can pretend that Twitter isn't where the multinational conversation is happening, or even assign zero value to it, but something like 10% of the world population disagrees with you. That's why this is news.
Re: (Score:2)
Misdirection (Score:2)
The trove of DM's is worth FAR more than $300K in BTC.
That address could belong to an orphanage in a poor country for all we know.
A sophisticated attacker could have orchestrated a short sell of so many accounts' companies, making billions potentially, and they didn't.
This was either some dummies or an intruder with more value to gain than just a billion in options spread.
Assuming the latter, throwing a lazy BTC firecracker on the way out the door seems to have been effective in misdirecting most spectators
Whatâ(TM)s scarier is that they have internal (Score:1)
If you need to impersonate someone so often you need a company-wide tool which anyone has access to post into anyoneâ(TM)s feed, how can you trust anyone and anything on the platform. This time it was a bitcoin scam, next time it will be the feed that publishes election results.
Re: (Score:2)
This time it was a bitcoin scam, next time it will be the feed that publishes election results.
If you're getting your election results from Twitter...I think we found the problem already, and it's not Twitter...
Obviously China (Score:2)
WHO Behind Wednesday's Epic Twitter Hack (Score:2)
WHO Behind Wednesday's Epic Twitter Hack
ftfy
Deja vu (Score:2)
Poetic justice (Score:2)
Twitter, the thug's playground, seems to have just canceled itself.
Who's Behind Wednesday's Epic Twitter Hack? (Score:1)
Possibly the people who inserted the backdoor for our own spooks?