The teenager arrested for allegedly masterminding the recent Twitter hack comes from a community that’s been targeting crypto users for years.
The group’s attacks have one big thing in common: They take advantage of human fallibility rather than code vulnerability. These so-called social engineering attacks are growing in sophistication, and while the Twitter case is being prosecuted vigorously, the broader problem is unlikely to end soon, security experts said.
The New York Times reported the alleged mastermind was a part of the “OG” users community, which traffics in short unique online handles, such as a single character or word on social media. The hackers are also known for SIM swapping, a tactic that has long plagued the world of crypto.
Florida resident Graham Clark was arrested on July 31. State Attorney Andrew Warren filed 30 felony charges, including organized fraud, communications fraud, fraudulent use of personal information and access to computer or electronic devices without authority, WFLA reported.
Clark allegedly masterminded the hijacking of 130 prominent Twitter accounts, scamming their followers out of $140,000 worth of bitcoin. That was a relatively paltry sum considering the high-profile accounts involved including Elon Musk and former President Barack Obama. But the attackers could have sown much chaos considering they controlled the megaphones of a presidential candidate (former Vice President Joe Biden) and several CEOs.
The social media platform was compromised in mid-July after a successful “social engineering” attack targeting its employees, Twitter initially concluded. A later update was more precise, saying employees fell victim to “phone spear-phishing” attacks.
Social engineering is a broad term that encompasses many methods of exploitation, said Allison Nixon, chief research officer at Unit221B, a cybersecurity firm. It can involve everything from bribery and coercion to phishing, she said.
According to a government affidavit, Clark convinced a Twitter employee he was a co-worker in the IT department. The employee then provided credentials to access the customer service portal.
“Social engineering is the concept of essentially tricking people into doing something they shouldn’t,” said Yonathan Klijnsma, a threat researcher at the cybersecurity company RiskIQ. “It can be as simple as falling for a phishing attack or, in more elaborate cases, where individuals are social engineered in real life or over the phone to perform actions they normally wouldn’t do.”
Holders of bitcoin and other digital assets know this style of attack all too well. For years they’ve been a popular target of a subset of social engineering attacks known as SIM swaps. A SIM swapper bribes or fools employees of a telecommunications provider into porting the victims’ phone numbers to the attacker’s device.This allows the attacker to use or bypass the victim’s two-factor authentication tools to access crypto wallets or social media profiles.
Nixon said she has seen evidence the Twitter attackers used tactics similar to ones that originated in the SIM swap community, which she has studied for years. (TechCrunch’s Zack Whittaker also reported the OGUsers community was involved.)
She worries OG’s tactics are becoming more sophisticated.
“These people cut their teeth attacking telecommunications and are now attacking other companies, and they’re extremely effective,” she said. “They’re going to find business partners that will cash out for them. What happened with Twitter was a blaringly loud advertisement.”
SIM swaps and crypto
There have been numerous instances of SIM swap hacks targeting individuals and cleaning out their digital assets. One high-profile incident targeted investor Michel Terpin, with the hacker stealing 1,500 bitcoin.
Haseeb Awan, CEO of Efani, a company that offers secure SIM cards to consumers, estimated around 1,000 people fall victim to SIM swap attacks every day, although “a lot of victims don’t come forward.”
These attacks are getting more sophisticated, he said, with most customers unaware of the risk.
“They [work] on how many cell phone connections [they can sell] per day, and that’s how they make money … It’s not that they don’t care about it. It’s that they don’t have the infrastructure to handle it. Their call center may be offshore, they may have [developers who] may be offshore, and it’s very hard to manage everything,” he said.
As our personal and financial lives become increasingly digital, smartphones are an attractive target for hackers, Nixon said, with SIM swaps being one popular vector.
In the crypto space, smartphones are often a key tool for individuals to access their holdings, making them an incredibly attractive target for hackers.
Some of these telcos have become successful at limiting or preventing SIM swaps from happening outright, Nixon said. Using Twitter searches as a proxy, she noted that complaints involving SIM swaps declined between 2019 and 2020.
For convenience sake, many telcos allow store employees to override protections, Awan said, because some individuals legitimately may have lost their SIM cards or otherwise need support recovering their accounts.
Alaric Aloor, CEO of security consultancy firm Archon Security, said it’s important for firms to maintain basic practices such as “principle of least privilege,” meaning as few users as possible should be able to make important changes to customer accounts.
In his view, many companies have moved away from these basic practices, allowing attacks like SIM swaps and other forms of social engineering to flourish.
“I think we’ve all seen how social media can be manipulated by external actors to sway public sentiment so Twitter, essentially should be considered critical infrastructure at this point just like utilities,” he said.
‘Nothing will happen’
Many perpetrators of these types of attacks aren’t caught, and those who are rarely receive punishment, Nixon said.
The arrests in the Twitter hack are the exception to the rule. The Times also reported one of Clark’s online aliases was allegedly involved in a SIM swap attack against Seattle-based angel investor Gregg Bennett in 2019.
In late 2019, after filing a lawsuit against Bittrext, the exchange from which the bitcoin was stolen, he told CoinDesk the hacks were coming from a Florida IP address and from an Windows NT operating system, neither of which he had used before.
The U.S. Secret Service seized 100 bitcoins netted from the attack, but declined to prosecute Clark because he was a minor, the paper said.
If a victim does find their phone has been hijacked, “there’s a 99% chance nothing will happen,” Awan said. Cell phone carriers are unlikely to accept responsibility, while the lack of law enforcement action may not deter the perpetrators.
As a result, the same hackers have multiple opportunities to hone their craft and make it more difficult for law enforcement to find them the next time.
One of the big takeaways for Klijnsma, of RiskIQ, was how the threat campaign manifested itself in surprising ways.
“Our data showed that this campaign was happening for a while, using other channels and vectors to socially engineer victims into giving up their cryptocurrency,” said Klijnsma. “However, once these actors decided to hack Twitter and succeeded, they were all of a sudden thrust into the spotlight. It goes to show that campaigns are constantly evolving as threat actors look for new ways to find victims.”
SIM swapping is just one aspect of what Nixon calls “targeted accounting,” which can include a number of other techniques to acquire credentials and compromise platforms.
This can be especially problematic for individuals who store large sums of money (or crypto) on a platform such as a crypto exchange.
“It completely undermines our sense of security,” Nixon said. “The truth is … [you] can eliminate some of the risks, but the hackers are just hitting the provider and hitting things that you can’t face, and you [are] still going to get owned.”
Larger businesses such as Equifax or Twitter may also not be motivated to limit their potential for falling victim to these types of attacks, both Aloor and Nixon said.
Aloor pointed to Equifax’s planned $575 million settlement with the Federal Trade Commission after it lost sensitive personal information for 147 million people in 2017. Originally, the company was expected to send $125 to each victim; due to the large number of victims, this is unlikely to happen.
“I think it speaks to the broader, at least in the U.S., aspect of ‘there’ll be no consequences for any breach,’” Aloor said.
Nixon is concerned there will not be a concerted effort to address SIM swapping issues because it’s happened time and time again, with little progress made in stopping them.
“It completely breaks the phone system, it breaks the identity system, it breaks things that are really on a fundamental level impacting national security and critical infrastructure,” said Nixon.