spear phishing

With the arrest of 17-year-old hacker Graham Ivan Clark in Tampa, Florida and more than 30 charges later, we’re starting to get a better understanding of the July 15 hack that compromised 130 Twitter high-profile accounts. 

As suspected by many, including us, the hack deployed a spearphishing attack on Twitter employees. 

An official statement from Twitter confirmed the method of attack, announcing that a “small” number of employees had been duped by a social engineering campaign that provided hackers with unfettered access to several high-profile Twitter accounts, including those belonging to Elon Musk, Bill Gates, Joe Biden, and Barack Obama. 

The hackers leveraged the wide exposure of these accounts to solicit bitcoin from their followers, netting them between $120,000 and $180,000.

“Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7,” the company announced on its blog and its own Twitter feed.

Spearphishing is a more sophisticated form of phishing for credentials, where specific individuals or groups are targeted, often by way of phony emails from known associates. It is assumed that the hackers involved in the Twitter hack gained access to the employee accounts via phone, rather than email, a practice known as “vishing.”

Twitter announced that stricter controls on employee and contractor access would be implemented, limiting “access to our internal tools and systems to ensure ongoing account security while we complete our investigation.”

The FBI, Congress, and authorities from New York State have all announced inquiries and investigations into the attack.