Yesterday, Twitter announced that it had been hacked. Hackers seemed to target a number of accounts belonging to cryptocurrency companies and executives as well as VIP accounts of Joe Biden, Barack Obama, Kanye West, Bill Gates, and Elon Musk and others.
The target was simple: reach out to the vast number of followers each of these users have and ask them to send Bitcoin to an anonymous account with the promise of doubling their money.
Smart people understand that there is no free lunch; Bitcoin scams are everywhere; doubling your money for no risk is unheard of; and these leaders wouldn’t be offering such a deal anyway. Of course it is a scam.
More to the point, how did this hack happen? Twitter is one of the world’s biggest brands with one of the most secure IT infrastructures on the planet.
Reports say that senior Twitter employees had their accounts compromised through a “coordinated social engineering attack.” What is a “coordinated social engineering attack?”
“Social engineering” is a euphemism for attacks that rely on someone being nice to you and expecting you to be nice in return. Suppose someone shows up at your office, says they’re from the phone company, and asks for permission to access your phone cabinet to fix your X.25 interface. Do you buzz them in?
If you say, “Yes,” then you may be a victim of a social engineering attack:
- You didn’t verify their identity by asking for ID;
- You didn’t confirm that there was a valid work order with the phone company that needed an on-site visit
- You likely didn’t even verify that you have an X.25 service;
- You probably didn’t monitor their conduct or actions as they wandered around your office.
In our age of working from home, social engineering attacks are becoming more common. In large part because:
- It’s harder to work together and get timely answers to questions and so we make decisions without full knowledge of the situation or context.
- It’s harder to verify instructions and directions. If your boss emails you to say the phone company is coming by today, you’re likely to just accept that and not ask more–including if the email is actually from your boss!
- Standard office operating procedures are disrupted and we don’t question or challenge the variations and changes to approval flows and processes.
This is likely what happened at Twitter.
Attackers start with people. Preventing social engineering is one of the best cybersecurity strategies you can provide for your business. It isn’t all that expensive and it closes a large number of attack vectors used to attack businesses.
At the same time, it isn’t an simple thing to implement. As employees we are expected to be “customer centric” and polite. We are primed to be “helpful” to anyone who asks us for help (especially if they are polite) and even if they are “bad actors.” It takes a structured change process to modify corporate culture to remain “customer centric” while also being professional and polite in shutting down the requests that may be part of social engineering attempts.
Atlas has partnered with a Cybersecurity company to help your company make the changes necessary to keep your data and assets from walking out the door.