Following the major security breach suffered by Twitter on 15 July, it has confirmed that the hack targeted a small number of employees through a phone “spear-phishing” attack.
Attackers targeted specific employees who had access to account support tools, Twitter said. The company added it has since restricted access to its internal tools and systems.
Whether the hackers gained access via phone, a personal device, or office computer, the aim of the attack was to obtain employee credentials. Twitter advises that although their tools, controls, and processes are constantly being updated and improved, they are now “taking a hard look” at how they can make them even more sophisticated.
The specifics of the phish that evaded security controls are vague. Spear phishing tends to be more targeted and dangerous than a typical phishing attack, because the phishing emails are highly believable when tailored to individuals or small, specific groups of people. “Phone phishing” is messy infosec jargon that tends to be a catch-all for all things social engineering that involve a mobile device. A phish via phone could appear to be many things: a message from support requesting credentials for an update, an SMS phish linking the user to a false company login page, or an actual phone call from a friendly colleague requesting login information.
If employees are unaware of the role they play in data breaches, they are more likely to fall for these scams. No amount of security controls can fully secure a network unless employees are also seen as the frontline in phishing defense. Twitter needs to consider building employee resilience to phishing in their plan to become more sophisticated.
As suspected, this breach resulted from social engineering – hackers preying on human vulnerabilities. Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others. It is vital organisations employ a layered approach of people, processes, and technology for optimal cybersecurity. This incident underlines the critical importance of awareness and education among employees and the role they play in good data hygiene – cybersecurity is not the sole concern of an individual or a function, it is a shared responsibility of all.