The Attack That Broke Twitter Is Hitting Dozens of Companies

The hackers, Twitter wrote in a postmortem blog post about the incident, had called up Twitter staffers and, using false identities, tricked them into giving up credentials that gave the attackers access to an internal company tool that let them reset the passwords and two-factor authentication setups of targeted user accounts."I’ve never seen anything like this before."Zack Allen, ZeroFoxBut Twitter is hardly the only recent target of "phone spear phishing," also sometimes known as "vishing," for "voice phishing," a form of social engineering. Then the attackers have sold that access to others who have typically used it to target high-net-worth users of the company's services—most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services."Simultaneous with the Twitter hack and in the days that followed, we saw this big increase in this type of phishing, fanning out and targeting a bunch of different industries," says Allison Nixon, who serves as chief research officer at cybersecurity firm Unit 221b and assisted the FBI in its investigation into the Twitter hack. And it's happening repeatedly, like the companies can't keep them out."As in the Twitter hack, the perpetrators don't appear to be state-sponsored hackers or foreign cybercrime organizations, but young, English-speaking hackers organizing on forums like the website OGUsers.com and the chat service Discord, says Zack Allen, the director of threat intelligence at security firm ZeroFox, who has also worked with the industry group tracking the incidents. They'd use that phone number to intercept two-factor authentication codes, or as a starting point to reset the passwords to cryptocurrency exchange accounts.The Twitter hack's use of those same phone-based social engineering methods shows how those phishers have expanded their target lists beyond telcos, says Unit 221b's Nixon. "The companies that are not employing that hardware check or certificate check, those are the companies that are getting hit really bad right now," Nixon says.The security staffer at a company that's been targeted by the phone phishers argues that for now, the vulnerability of companies to this new sort of intrusion technique isn't being taken seriously enough—and as older, more organized, and well-funded hackers see how effective that tactic has become, the victim list will only grow.