Thousands of Twitter accounts, including high profile ones belonging to users such as Forbes, Amnesty International, the BBC’s North American service, and tennis star Boris Becker were compromised on Wednesday morning, resulting in them tweeting propaganda related to Turkey’s escalating diplomatic conflict with Germany and the Netherlands. IT security experts from AlienVault, FireEye, Kaspersky Lab, ESET, Tenable Network Security, Positive Technologies, NuData Security, Proofpoint and Alert Logic commented below.
Javvad Malik, Security Advocate at AlienVault:
“It appears as if the Twitter accounts were compromised via a third party service called Twitter Counter. The incident illustrates the need for security throughout the supply chain. Users should be wary as to which services they allow access to write to their Twitter accounts. It can be all too easy to allow permissions and subsequently forget that they were ever granted. The specific danger that third parties present is that even if users have secured their account properly and enabled two-step authentication, it offers no protection.
With more online services being inter-connected through social media, it becomes imperative that users are careful in what permissions are granted to apps, and regularly review whether permissions are still needed.
Enterprises should be mindful that these types of attacks are not just limited to individuals, rather corporate services can be compromised in the same way – with far greater consequences.”
Jens Monrad, Senior Intelligence Analyst at FireEye:
“Since the Dutch authorities prevented foreign minister Mevlut Cavusoglu from flying to Rotterdam, there has been an escalation of politically motivated cyber threats carried out by Turkish individuals and groups. Many of these observed attacks seems to be motivated by Turkish Nationalism and pro Erdoğan government support.
On the 11th of March, Shortly after the Dutch authorities prevented foreign minister Mevlut Cavusoglu from flying to Rotterdam, we observed disruption attacks carried out against Rotterdam The Hauge Airport´s website. The DDoS attack was most likely carried out by a Turkish hacktivist group that appears to be motivated by Turkish nationalism and pro-Islam ideologies. There were several other disruption and web-defacement attacks carried out after the news broke about the prevention of Mevlut Cavusoglu’s travel to Rotterdam, including an attack against the website owned by Dutch politician, Geert Wilders as well as several enterprises in the Netherlands were targeted.
Politically motivated cyber attacks in general thrives on making as large a media impact as possible and therefore it is expected to see these attacks whenever a political conflict escalate.
The attacks are typically disruptive attacks, using distributed denial of service and also web defacements, where the individual or group replace the front page with a political message.
With the current political conflict between The Netherlands and Turkey, we have observed an increase in takeovers of high profile social media accounts, such as those belonging to celebrities, NGOs and companies. Attackers are compromising third-party applications which have access rights to these accounts, and then sharing political messages.
Ultimately, this trend will only get worse. Cyber threats don’t move backward. If anything, the barrier to entry only becomes lower over time. Politically motivated cyber attacks such as those targeting social media will only become more effective as we become more reliant on these technologies.”
David Emm, Principal Security Researcher at Kaspersky Lab:
The Twitter account hack revealed today, whereby Twitter users of third-party app Twitter Counter have had their account compromised with messages from political activists, shows how vigilant people need to be not only of their own security practises but also those of their suppliers and partners. If businesses or consumers choose to use third party apps, which provide useful and necessary services, they could well be signing over full control to a third party.
This is a clear example of where a third party provider’s weakness has impacted very widely, not only on the provider itself, but also on Twitter and thousands of its users including some very high profile businesses and organisations. If Twitter users believe their account has been affected, they should change their password immediately. However, it is critical that people understand the permissions agreed to when downloading apps. Kaspersky research recently found that 63 per cent of consumers neglect to read the license agreement carefully before installing a new app on their phone and one-in-five (20 per cent) never read messages when installing apps. This means an alarming number of people are leaving their privacy – and the data on their phones – exposed to cyber-threats due to poor app safety practices.
To protect themselves people should:
- Only download apps from trusted sources
- Select the apps you wish to install on your device wisely
- Read the license agreement carefully during the installation process
- Read the list of permissions an app is requesting carefully. Do not simply click ‘next’ during installation, without checking what you are agreeing to
- Use a cybersecurity solution that will protect your device from cyber-threats
As best practice, Kaspersky would advise that app creators themselves aim to be as transparent as possible in the way they present their permission requests, to make people’s decisions easier.
Mark James, Security Specialist at ESET:
“One of the problems with these types of “hacks” is the perception of who has actually been hacked. In this case, our first impressions is Twitter but in fact a third party tool was compromised that has the ability or permission to post to Twitter on your behalf. With so many add-ons and extensions for social media there are hundreds of these types of apps available to add little features or additions to our software. Sadly, the companies that spend huge amounts of money keeping your data safe and secure are at risk when something like this happens. We should always review which services have our permission to take action on our social media accounts on a regular basis.
“For Twitter, this can be done on their website. Head to “Profile and Settings” and choose “Settings and Privacy” then select “Apps”. If you have associated any services you will see them listed here with an option to “Revoke Access” as a tab to click. One of the nice things here is seeing when it was approved, so you could determine if it’s still valid and if not remove it. If you make a mistake you can always click the “Undo Revoke Access” button to put it right. While you’re at it why not check Facebook as well – go to the Facebook website and choose “Settings” from your profile, select “Apps” and review what does and does not have access to your data and profile.”
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“This is the ‘hacker’ equivalent of writing graffiti on the bathroom wall, sometimes shocking and certainly worth a read when you’ve got nothing better to do, but it’s not even in the same league as DDoS, much less a sophisticated cyber attack.
“Twitter has a history of responding well and quickly to these kinds of incidents. For the rest of us who weren’t directly affected, there are much more important things we should be concerned about when it comes to security.
“To protect your online identity and social profiles, most platforms (including Twitter) allow for a secondary step in authentication. Enabling two-stage verification dramatically increases the difficulty for a malicious user to take over your account.”
Alex Mathews, lead Security Evangelist at Positive Technologies:
“This Twitter hack was possible because of third party service Twitter Counter, and this is not the first case when third party apps are used to steal access to social network accounts. Users should understand that those multiple apps asking for their social network access are not controlled by the social networks. And these third party apps themselves don’t guarantee security: many of them are created by small startups.
“Thus, in most cases, connecting your Twitter or Facebook account to such services is like to give your passport to a perfect stranger. Social network users have to control these apps by their own. You’d better not connect your account to new services from untrusted sources, and disconnect them when you don’t really need them.”
Robert Capps, VP of Business Development at NuData Security:
“Hacking the personal Twitter accounts of celebrities and brands for geopolitical advantage is a disturbing twist and escalation in cyber warfare. This hack appears to be coming from a zero-day vulnerability in a third-party app called Twitter Counter. Aside from the political message in this attack, we should be concerned about it because hacking Twitter accounts is akin to making a puppet out of the celebrity or affected brand. In the long term, I doubt these brands will experience much lasting harm if the situation is remedied quickly, but in the short term, the coverage that these attackers obtained by the hack is considerable.
If Twitter were a country, it would be the 12th largest in the world with over 100 million users logging in daily, and continually growing. The size of its membership and its capacity as a live media source of information make it an attractive and vulnerable target for account takeovers. By hijacking accounts, bad actors have access the audiences of celebrities and brands with thousands of followers, and can also leverage hashtags and lists to push that reach further. It’s a reminder for everyone to use unique strong passwords on every site, and consider using a password manager like 1Password or LastPass for easy generation of strong, unique passwords, as well as storage and encryption of these passwords.”
Dan Nadir, Vice President Digital Risk Products at Proofpoint:
“Today’s widespread Twitter compromises shine a light on the complexity of securing third-party apps attached to corporate and personal social media accounts. For example, not only do busy media accounts have multiple dozens of admins on both Twitter accounts and Facebook pages, they also connect and authorize multiple other applications to create, publish, and communicate content choosing from an ecosystem of more than 20,000 unique apps. In fact, across the multiple thousands of Twitter accounts and Facebook pages that Proofpoint protects for its media and large brand customers, there are an average of 10 unique apps used on Twitter and six on Facebook used to create content and communicate content. Busy media companies can have as many as 35 different apps authorized on a single Twitter account. Our recommendation is that social media account holders complete an immediate assessment of all third-party apps attached to their accounts.
The complexity and the high rate of activity on those corporate accounts makes it difficult to find a compromise until it is too late. Outside of just the content being posted, we see up to 50 changes a day around apps authorized, admins added, descriptions and pictures changed on busy media and brand accounts. Once a compromise happens, the initial embarrassing content posted is the most visible item, but it is really just the beginning of the pain. A busy Twitter account can send up to 400,000 direct, private messages to followers and other admins per month. Once compromised, the organization has to assess if other admins and even customers have been compromised In addition, they need to determine if those credentials are the same credentials used for other enterprise applications and access.”
Paul Fletcher, Cybersecurity Evangelist at Alert Logic:
“The practice of hacking Twitter accounts to gain notoriety for a cause is similar to a web defacement hack. Hacking groups like the variety of audiences they can reach by hacking a varied array of Twitter accounts, like we see in this latest attack. Social media accounts should practice good password management practices to prevent being attacked.”