On the surface, this scam doesn’t appear to be all that sophisticated. Most of us would take one look at these tweets and immediately recognize that something was amiss. After all, Bitcoin scams are common on Twitter
. The difference here was that they normally take place using relatively anonymous accounts, rather than those belonging to politicians, tech CEOs and cultural icons. The credibility of those accounts boosted the scam, with hundreds of people sending more than $100,000 in Bitcoin
to the advertised wallet. That’s somewhat shocking, but we learned some more interesting details when we started to dig into this attack a little more.
First, the digital world may have gotten off easy last week. The attackers executed their scam in a clumsy fashion that immediately attracted the attention of the global media and Twitter’s security team. Twitter removed the offending tweets, blocked access to the affected accounts and restored normal operations.
There are some indications that this attack was more than just a Bitcoin scam. On Thursday, Twitter admitted that the attackers had also used their access to read
the private direct messages of up to 36 users. It’s possible that more will come to light as the investigation unfolds.
What if the attackers had been more sophisticated in their execution? If they chose to send out more carefully designed tweets, they could have delayed detection of the attack and made a global impact. It’s also not difficult to imagine scenarios where the attackers could have sent out tweets that influenced national politics or moved financial markets, instead of convincing people to send Bitcoin in the hopes of making money.
There is only one place to lay the blame for this incident: right on Twitter’s doorstep. Twitter acknowledged that the attackers gained access
to the company’s internal systems, where they were able to bypass many security controls.
If that’s the case, it demonstrates a stunning lack of internal security at Twitter. The tools leveraged by the attackers provided them with the ability to manipulate
Twitter accounts by accessing internal systems and tools.
The broad availability of an internal tool that allows employees to take over any account is worrisome. These tools certainly make the lives of customer service representatives easier but, as we just learned, they also create significant risk. Uber learned
this the hard way in 2014 when reports surfaced that employees had widespread access to the personal information of riders through the company’s internal “God view.”
Customer service teams need administrative tools to perform routine aspects of their jobs, but those tools must be carefully protected with strong security measures. They also need to be set up to automatically detect obvious cases of misuse such as, say, the same person simultaneously accessing the accounts of dozens of high-profile individuals and using those accounts to send out a Bitcoin scam.
No matter how you look at this situation, things don’t look good for Twitter’s internal security program. In order to regain the public trust, the company has a lot of work to do.