Future Tense

The Twitter Hack Shows a Major Cybersecurity Vulnerability: Employees

A broken chain of Twitter birds.
Photo illustration by Slate. Photo by Twitter.

On Wednesday, Twitter fell victim to hackers who used a “coordinated social engineering attack” to compromise some of Twitter’s highest-profile accounts—including those belonging to Barack Obama, Elon Musk, Bill Gates, and Kanye West—to launch a crypto scam targeting those users’ followers. The scammers ended up with multiple accounts and more than $120,000 in untraceable Bitcoin payments—an amount that pales in comparison to the damage to Twitter’s brand.

This was a particularly flashy breach, but in the end, it was just another in a long parade of cybersecurity incidents at high-profile and smaller companies alike. While cybersecurity advances have hardened IT infrastructure and made it increasingly difficult to hack systems remotely, criminals have a logical way around these measures: targeting the employees who are already inside the systems. This wasn’t even the first time Twitter has fallen victim to a social engineering attack. In August 2019, Twitter CEO Jack Dorsey was the target of a different type of social engineering attack known as SIM swapping. In that incident, Dorsey briefly lost control over both his personal mobile number and Twitter handle after hackers used his personal information, including knowledge of which mobile carrier he uses, to transfer control of his number to the hackers. Twitter, of course, is not alone. Earlier this year, Shark Tank’s Barbara Corcoran was almost scammed out of $400,000 when attackers profiled her organization, obtained basic contact information, and impersonated her bookkeeper in a wire fraud scheme. No organization is immune—from Target to the Central Intelligence Agency to the cryptocurrency Classic Ether—attackers keep finding ways to leverage human weakness to get around security measures.

Attackers look for ways to convince or trick employees into helping launch an attack that bypasses security measures meant to prevent penetration from the outside. They use confidence schemes to hack the human “operating system” rather than technical means to hack computer systems.

There are more than a dozen types of social engineering attacks. The most common are fake “phishing” emails, whereby a message supposedly from a colleague or a manager asks for a password reset or help accessing a system. It seems like a quick favor for someone in a bind—but it can give a criminal access from the inside.

This is a well-known problem in the IT world, and it’s a difficult one to solve. Yet it’s not enough to train employees to recognize fake messages. In many cases those messages are indiscernible, even by computer systems, from real ones. The fundamental problem is one of data. There is a massive, growing ocean of information out there on all of us: It is publicly available and easily obtainable on the internet. This data represents a guidebook for hackers, providing them many details on people, from what type of access to company systems they might have to their writing style. This information, often scraped in an automated fashion, allows hackers to generate phone calls, emails, text messages, and social media posts that are personalized and can trick even seasoned security industry veterans. For example, a family vacation picture posted on social media can help a hacker credibly impersonate the vacationer by email. When the email is sent with sufficient detail from a recognized personal email address (perhaps attached to that social media account) mimicking language from posts and other communications, requesting that funds be wired to a third party—maybe even a vendor that references a relationship with the company in a public case study—it may seem perfectly normal.

In the case of Twitter, the initial breach has been traced to the hacker’s access of an internal chat channel on Slack. Knowledge of Twitter’s corporate structure and its employees’ roles and communication styles likely made the attack smarter and helped plan and affect the breach.

Part of the issue is that the data out there is much more actionable than most people realize. Basic research on social media (Facebook, Instagram, Twitter, etc.) and Google can reveal enough personal information for a hacker to make contact and design plans to dupe a person.
This practice, commonly known by experts as cyber reconnaissance, powers more than 90 percent of successful cyberbreaches today, according to a report from Verizon.

That number is not likely to drop soon, especially given that COVID-19 has compounded this problem by forcing so many employees to work from home. Social engineering attacks already rely on remote communication—naturally, it is much harder to assume the guise of a trusted friend or colleague in person.

The New York Times has reported that a shadowy figure known as “Kirk” was the likely ringleader behind the recent Twitter attack. Although it is not yet known which social engineering tactics were leveraged to get that original access, Kirk’s campaign definitely involved reconnaissance. Beyond that, the attack may have hinged on an employee who was paid off, tricked, or coerced, or a disgruntled employee inside the company may have found a partner in crime on the outside. Each attack method relies on data: finding the proper contact information, knowing whom to impersonate and how … or even profiling Twitter’s employee base to know who might be most valuable (such as users with higher-level privileges) and who might be the most vulnerable (those with exposed personal information such as location, hobbies, contact information, etc.).

The world’s investment in hardened security infrastructure over the course of many years has been important, and will grow only more so as we increasingly rely on technology to power every aspect of our lives. One recent report predicts that between 2017 and 2021, cybersecurity spending will exceed $1 trillion cumulatively. But as long as we continue to think of security only as a function of the systems we build, and essentially related to their infrastructure, we miss perhaps the most critical element. The most vulnerable targets inside of companies are actually the individuals sitting at the intersection of our networks, devices, and applications.

The next generation of cybersecurity tools needs to focus on cyber hygiene, actively providing a lens on what information about a company and its employees is available in the public, and finding ways to reduce or anesthetize that footprint, protecting not only our companies, but also the privacy and integrity of each individual.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.