With the number of Nigerian scams the world has seen over the decades since email went mass, one would imagine users would have become wise to the tricks played by crooks. But no, it looks very much like almost anyone can fall for a deception, as has just been evidenced by the great Twitter hack of 2020.

What happened exactly is something that is still being investigated, but the result was that a number of well-known world personalities had their accounts hijacked, the scamsters got away with at least $120,000 before disappearing again into the ether, and Twitter had a really bad hair day.

Barack Obama, Elon Musk, Bill Gates, Joe Biden, Kanye West, Kim Kardashian and Jeff Bezos have been among the personalities whose Twitter accounts were hacked. Are security experts surprised?

Vineet Kumar, founder of Cyber Peace Foundation, said yes. “The verified accounts of world politicians and celebrities getting hacked is a definite surprise,” he said. “It’s just these accounts would have been protected with two-step certifications and other preventive measures where regular users may take shortcuts.”

There is a strong possibility that Twitter employees were themselves targeted by way of social engineering, which is also the method used by the hackers to lure users into actually parting with cryptocurrency, handing it right over easily enough, said Kumar. This double act of social engineering involved using a lure to get inside Twitter’s admin system and getting inside these specific Twitter accounts, resetting their email accounts and commandeering the accounts to post messages asking people to give money (in the form of Bitcoins) to get double the amount back. When something is too good to be true, it usually is. But it’s not always easy to tell.

No random act

The hackers probably didn’t just pick the top verified Twitter accounts purely at random. The personalities chosen include the richest, they include philanthropes, and even the quirky. Users obviously didn’t think it was outright impossible for them to be giving away some of their wealth — so they went ahead and decided to try it out and see what would happen.

Uber and Apple also had their accounts hacked with reasonable sounding tweets going out saying, for example, that Uber was giving back during these Covid times. Anything can happen, right?

But why did the Twitter employee or employees fall for social engineering, believed to be what gave the hackers access. “This was a coordinated work of social engineering targeted at the Twitter staff which could have involved sending a link to an employee,” said Kumar. “With people now working from home without the enterprise-grade security measures such as firewalls used in the workplace, it’s not difficult to imagine how an employee could click on a link that looks valid and even relevant to the work being done by that person. Getting access to one or more accounts at Twitter would then have been used to gain admin access.” And from there on, the target changed to regular Twitter users.

Towards greater security

Is two-step authentication totally useless? Users are now wondering whether it’s worth the trouble when the most tech savvy accounts can be compromised as easily as they have. “No, not totally useless, but hardware keys and security tokens may have to be deployed much more in future for greater security, “ said Kumar. “Two factor verification can sometimes be ‘sniffed’ by hackers but if you see what’s happening in India, we still struggle to get users to use this verification. Gradually the big tech companies and even financial institutions will have to push even stronger security methods.”

Ahead of the the US elections, the security breach is particularly bad news for Twitter, showing up as it does the ease with which hackers can get into the accounts that must surely have the strongest protection. Put together with deep fake tricks and it seems entirely possible to spread misinformation at a time when users look to social media for news and opinion.