Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Social Networks Twitter

Who's Behind Wednesday's Epic Twitter Hack? (krebsonsecurity.com) 75

Brian Krebs has written a blog post with clues about who may have been behind yesterday's Twitter hack, which had some of the world's most recognizable public figures tweeting out links to bitcoin scams. An anonymous reader shares an excerpt from the report (though we strongly recommend you read the full analysis here): There are strong indications that this attack was perpetrated by individuals who've traditionally specialized in hijacking social media accounts via "SIM swapping," an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target's account. In the days leading up to Wednesday's attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers -- a forum dedicated to account hijacking -- a user named "Chaewon" advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece. "This is NOT a method, you will be given a full refund if for any reason you aren't given the email/@, however if it is revered/suspended I will not be held accountable," Chaewon wrote in their sales thread, which was titled "Pulling email for any Twitter/Taking Requests."

Hours before any of the Twitter accounts for cryptocurrency platforms or public figures began blasting out bitcoin scams on Wednesday, the attackers appear to have focused their attention on hijacking a handful of OG accounts, including "@6." That Twitter account was formerly owned by Adrian Lamo -- the now-deceased "homeless hacker" perhaps best known for breaking into the New York Times's network and for reporting Chelsea Manning's theft of classified documents. @6 is now controlled by Lamo's longtime friend, a security researcher and phone phreaker who asked to be identified in this story only by his Twitter nickname, "Lucky225."[...] But around the same time @6 was hijacked, another OG account -- @B -- was swiped. Someone then began tweeting out pictures of Twitter's internal tools panel showing the @B account. Another Twitter account -- @shinji -- also was tweeting out screenshots of Twitter's internal tools. Minutes before Twitter terminated the @shinji account, it was seen publishing a tweet saying "follow @6," referring to the account hijacked from Lucky225.

Cached copies of @Shinji's tweets prior to Wednesday's attack on Twitter are available here and here from the Internet Archive. Those caches show Shinji claims ownership of two OG accounts on Instagram -- "j0e" and "dead." KrebsOnSecurity heard from a source who works in security at one of the largest U.S.-based mobile carriers, who said the "j0e" and "dead" Instagram accounts are tied to a notorious SIM swapper who goes by the nickname "PlugWalkJoe." Investigators have been tracking PlugWalkJoe because he is thought to have been involved in multiple SIM swapping attacks over the years that preceded high-dollar bitcoin heists. Now look at the profile image in the other Archive.org index of the @shinji Twitter account (pictured below). It is the same image as the one included in the @Shinji screenshot above from Wednesday in which Joseph/@Shinji was tweeting out pictures of Twitter's internal tools.

This individual, the source said, was a key participant in a group of SIM swappers that adopted the nickname "ChucklingSquad," and was thought to be behind the hijacking of Twitter CEO Jack Dorsey's Twitter account last year. The mobile industry security source told KrebsOnSecurity that PlugWalkJoe in real life is a 21-year-old from Liverpool, U.K. named Joseph James Connor. The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year. He added that PlugWalkJoe has been unable to return home on account of travel restrictions due to the COVID-19 pandemic. [...] If PlugWalkJoe was in fact pivotal to this Twitter compromise, it's perhaps fitting that he was identified in part via social engineering.

This discussion has been archived. No new comments can be posted.

Who's Behind Wednesday's Epic Twitter Hack?

Comments Filter:
  • by sectokia ( 3999401 ) on Thursday July 16, 2020 @11:09PM (#60298763)
    Social engineering brought down social media Seems fair
  • Whom else could it be?
  • In the past Krebs has done good detective work, so he's probably right.
  • by methano ( 519830 ) on Thursday July 16, 2020 @11:34PM (#60298811)
    Everybody has been talking about Twitter for the last couple of Days. What about SlashDot? It's been flaky as hell for a couple of days. Did nothing really happen on the 15th of July? Asking for a friend.
    • They probably hit an internal integer overflow, posts were showing up in the wrong story after sid 16,777,215. Or I am crazy, probably the latter though.
    • by AmiMoJo ( 196126 )

      Probably just a disk failure or something. Haven't noticed any more spam than usual or attacks on my other accounts.

      My first thought was back to that time when comment IDs overflowed but then I had a vague memory of something like this happening during the Dice era.

      • If you're right, then slashdot is 100% automated, and more than likely some bloke at the data center that hosts the hardware is the only human involved.

      • No way. They've been making changes lately. I noticed because the long-ass delay after hitting submit came back without me making any config changes on my end. They made some change, didn't do [adequate] testing, and the site blew up.

        • by AmiMoJo ( 196126 )

          I've noticed the delay after posting as well. I thought maybe it was an ad auction or something because the page half loads and then stops. Who knows.

      • by Ksevio ( 865461 )

        Well it did stop working right as the thread IDs hit the 24bit limit so it could certainly be another overflow issue

    • I noticed a few months ago I wasn't being informed of replys to my posts. All of the sudden I had a ton. I think there were some bugs in the code that have been festering for a while. One finally broke the camel's back.
  • by zenlessyank ( 748553 ) on Thursday July 16, 2020 @11:59PM (#60298841)

    This is a test. This is only a test. If this had been an actual emergency the FBI would have left a message here.

  • by slashmydots ( 2189826 ) on Friday July 17, 2020 @12:13AM (#60298861)
    Who was behind the incident? Stupid people who shouldn't own bitcoins. That's who the weak point was. Anyway, you'd think there's a "who did this" logging thing where employees are logged in as themselves so they can trace back an email reset to a human being. If not, HOLY SHIT, change it so it works that way, Twitter! Then again they're more concerned about politics and influencing elections then they are about not storing passwords in plain text for example.
    • by AmiMoJo ( 196126 )

      It does seem rather amateurish. Given the immense power they had the best they could think of doing was stealing some Bitcoins. Apparently they made around $100k but of course now have to try to launder it.

      • To me seems like the bitcoin scam was just a smokescreen.

      • Nah. It's the best we are made aware of. Who knows how many DM's or other interesting stuff they got their hands on.

        Btw, anyone notice Twitter uses Blacklist instead of Blocklist?

        • by laxguy ( 1179231 )
          TAKE THEM DOWN!!
        • Nah. It's the best we are made aware of. Who knows how many DM's or other interesting stuff they got their hands on.

          The "Trends Blacklist" item on the Admin panel screenshot is interesting, since Jack claimed in front of Congress that the Trends are determined by algorithm and the company doesn't manipulate them.

      • Possibly, but in a way, they made a very big point. Even "real account" twitter posts can be fake. If I were a company that used twitter, I might be rethinking using it as a platform for PR releases. Have you ever seen a fake presser from reuters?
  • by BAReFO0t ( 6240524 ) on Friday July 17, 2020 @12:16AM (#60298865)

    Much of the mass media ... for some reason ... cares.

    Twitter is a PR platform. You can tell actual news sources from fake news PR proxy clickbait gonzo newstrash by the latter mentioning Twitter.

    • yes, "blah blah blah bitcoin" always makes the media wonks sit up and drool.

      Its a shame really, they hackers could have posted Jack announcing his full support for Trump in the upcoming elections and then you'd have seen a meltdown. Jack saying "buy bitcoin", pathetic really when they could have hidden the other accounts pumping the bitcoin behind a full media focus on outrage.

    • You can tell actual news sources from fake news PR proxy clickbait gonzo newstrash by the latter mentioning Twitter.

      That may be, but it has now long been commonplace for the MSM to report on shit being said on Twitter. Major news outlets report on Twitter feuds between celebrities, for example. As if we didn't already have enough signs of the MSM's impending doom, being reduced to reporting on Twitter is the seventh.

  • beside that it reads as a good novel, that sim swapping definition, where you dont even need to swap sims (coercing social network guys) sims like tge author has a vague idea about it. Id stick to the inside guy theory...
    • I'm afraid you are experiencing a malfunction in your spelling module. You should go to the informary as soon as possible.
  • I'd reserve that word for things more important than that blue-check circlejerk site,

  • Imagine if the tweet posted on Elon Musks account had not been about twitter, but a serious update on a flaw in Tesla vehicles?
    A message along the lines of a serious flaw that could lead to an explosion.
    Sure, you could easily find out whether this was true, just by a cursory search - but how many people, these days, bother to do this?

    Worse still, the POTUS account is hacked and a message that causes a serious international incident is posted. Yeah, the current guy in charge is capable of doing this himself,

    • * not been about bitcoin

    • by tlhIngan ( 30335 )

      Which makes it all the more funny, because given what could happen, it was used to make a rather pathetic amount of money - only about $100K.

      Given what was involved, the hack itself was worth far more for those reasons - stock manipulation, international relations, etc. Hell, just being able to take over any Twitter account is probably worth more than $100K.

      Oh well, all it really does is implant the idea that Bitcoins and other things rae just used for scamming people. All people hear are "bitcoin" and "sca

      • It has "mining" at its core. Making it by definition not legitimate.

        No, you wasting electricity on literally pointless and useless calculations is not work and is not worth my work, so no, you cannot ever pay me with Bitcoin.

        Choose a sane cryptocurrency.

        - It must work completely offline. No necessity to go online later or ever. It must be as private as handing over cash/goods in a back room.

        - It must hold actual worth. Only actual work, by a person, verifiable by anyone (like in science), qualifies. Nothing

      • by Cederic ( 9623 )

        just being able to take over any Twitter account is probably worth more than $100K

        Then why is the market rate as quoted in the summary around $2500?

      • Which makes it all the more funny, because given what could happen, it was used to make a rather pathetic amount of money - only about $100K.

        Given what was involved, the hack itself was worth far more for those reasons - stock manipulation, international relations, etc. Hell, just being able to take over any Twitter account is probably worth more than $100K.

        You're still considering only the small gains. They compromised ALL the blue star accounts - they threw up the red herring of a BTC scam on the high profile ones, but blue star accounts are used by journalists to literally make up news in DMs, to talk to sources, to plot stories alongside politicians, etc. What this was was a leak of the messages driving the literal fake news, now no doubt held by China for the sake of controlling people in the US or outright kickstarting a civil war by dumping all the ma

        • by tlhIngan ( 30335 )

          You're still considering only the small gains. They compromised ALL the blue star accounts - they threw up the red herring of a BTC scam on the high profile ones, but blue star accounts are used by journalists to literally make up news in DMs, to talk to sources, to plot stories alongside politicians, etc. What this was was a leak of the messages driving the literal fake news, now no doubt held by China for the sake of controlling people in the US or outright kickstarting a civil war by dumping all the mate

          • If the hackers actually wanted that information, they wouldn't have posted it for a crappy bitcoin scam that alerted everyone to the problem. If they were smart, they'd use that access to actually harvest all that information over a period of a few days and then hold it for ransom at which point it's worth way more than $100K.

            They got that information the moment they downloaded it, they didn't need to keep the backdoor to keep the logs of it and know what to go after next.

            They would get in, grab all the data, and get out without making it obvious anything happened. This way the hole stays available to gather updates. Meanwhile, you can slowly use that information and make it such that no one knows where all that Twitter data came from.

            Why? Damning blackmail is damning blackmail, once you have enough more doesn't do anything.

            If it was done for the lulz, there's no banner stating it.

            That's literally why they publicly stated that it was an insider and gloated about the haul in btc.

    • by ledow ( 319597 )

      If you're getting your info from Twitter, and believe it without verification, this is literally the core problem... not what some hacked account might post on it.

    • Literally every major journalist and politicians had their private DMs compromised. The BTC scam was a red herring to throw people off, as was the suggestion it was done by people so incompetent they burned their inside guy at twitter for the lulz afterward. That's big - journalists use twitter DMs to talk to sources and shit, and to discuss literal fake news as they're making it.
    • by mabu ( 178417 )

      Bitcoin fraud is basically a "victimless crime". The authorities aren't nearly as bothered by that as if something that affected corporate america and the 1% shareholders. The fraudsters were smart enough to at least not take money from those that would come looking.

    • Then you buy the dip in TSLA stock. Hell, even if the tweet were true, all those Robinhood traders out there would buy the dip anyways.
  • Or, even better fitting: Social abuse / mental abuse.

  • but i bet it was a revenge hack that trump had done because of Jack Dorsey admonishing trump for his tirades and misinformation he loves to post
  • So we can see that they do have blacklists for trending and searches.

  • Who's Behind Wednesday's Epic Twitter Hack?

    Who cares. And nothing of value was lost ... even if they got all accounts or managed to erase the system.

    Hell, in that case I'd figure out how to start a Go Fund Me to thank them!
    • > Who cares. And nothing of value was lost ... even if they got all accounts or managed to erase the system.

      You can pretend that Twitter isn't where the multinational conversation is happening, or even assign zero value to it, but something like 10% of the world population disagrees with you. That's why this is news.

  • The trove of DM's is worth FAR more than $300K in BTC.

    That address could belong to an orphanage in a poor country for all we know.

    A sophisticated attacker could have orchestrated a short sell of so many accounts' companies, making billions potentially, and they didn't.

    This was either some dummies or an intruder with more value to gain than just a billion in options spread.

    Assuming the latter, throwing a lazy BTC firecracker on the way out the door seems to have been effective in misdirecting most spectators

  • If you need to impersonate someone so often you need a company-wide tool which anyone has access to post into anyoneâ(TM)s feed, how can you trust anyone and anything on the platform. This time it was a bitcoin scam, next time it will be the feed that publishes election results.

    • This time it was a bitcoin scam, next time it will be the feed that publishes election results.

      If you're getting your election results from Twitter...I think we found the problem already, and it's not Twitter...

  • This came hours after Trump signing an executive order nationalizing all property held or shipping from China owned by a US citizen, effectively gaining total control over US-China trade. Now whoever did it made a big show "for the lulz" and claiming to be bitcoin scammers with the posts, but what really happened is they gained access to the private DMs of all the big "blue star" accounts - politicians, journalists, sources of journalists, etc. It was about getting blackmail material to control the nation
  • WHO Behind Wednesday's Epic Twitter Hack

    ftfy

  • by Mozai ( 3547 )
    What happened to the previous story on this, that linked to Vice Magazine? https://tech.slashdot.org/stor... [slashdot.org]
  • Twitter, the thug's playground, seems to have just canceled itself.

  • Who's Behind Wednesday's Epic Twitter Hack?

    Possibly the people who inserted the backdoor for our own spooks?

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...