Twitter hack used MFA phishing - and it’s scarily simple

Last week’s report on the Twitter hack revealed that even if you have multi-factor authentication in place, your employees can still be a weak link.

On 14 October, New York State’s Department of Financial Services released a report on Twitter’s now infamous 2020 security incident.

What happened at Twitter?

For anyone who missed it, for several hours on 15 July, the Twitter accounts of high profile users - including Barack Obama, Kim Kardashian West and Elon Musk - started behaving very oddly (or just more oddly than normal, in the case of Elon Musk).

As if they’d been struck by the same collective philanthropic urge, a small army of famous people started tweeting bitcoin keys and offering to double the money of anyone who transferred cash into them. Of course, the money didn’t double - it disappeared into the digital pockets of a 17-year-old hacker and his friends who ended the busiest day in Twitter’s history $118,000 richer.

Although the incident was embarrassing for Twitter, the truth is it could have been so much worse than it was. If the attackers had chosen a less noisy and more patient mode of attack, or sold the access they’d gained to a more organised and professional outfit, they could have visited vastly more damage on Twitter and its users.

In a year when criminal gangs have routinely crippled businesses with malware like Maze or REvil and demanded seven- or eight-figure ransoms, it was a cheap lesson.

So, what is that lesson?

There’s plenty we can learn from the attack on Twitter, but one aspect from the report really caught our eye:

“During the Twitter Hack, the Hackers got past MFA by convincing the Twitter employees to authenticate the application-based MFA during the login.”

The attackers were allegedly able to access so many users’ accounts because they compromised Twitter’s own internal tools. They achieved this by calling up Twitter staff and pretending to be from the company’s IT department. They then directed their victims to a phishing website that looked like the Twitter VPN (Virtual Private Network) login page.

Like many companies, Twitter uses MFA (Multi-Factor Authentication) to secure its VPN. It didn’t help:

“As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA notification requesting that the employees authenticate themselves, which some of the employees did.”

Code-based MFA is many things but it isn’t a defence against phishing, despite what you might have read in the cybersecurity press. If an attacker can convince you to type a password, they can convince you to type an MFA code underneath it. It’s that simple.

App and push notification-based MFA are similarly fallible. As with the Twitter hack, if criminals use your phished credentials immediately after stealing them, users will simply follow through on the MFA push notification it generates, not realising they’re delivering this information into the attackers’ hands.

What can organisations do?

Amongst its conclusions the report recommends “regular cybersecurity awareness training for all employees” as well as “regular phishing and vishing exercises”, which we agree with wholeheartedly.

What it doesn’t say is that if your systems rely on MFA then your phishing exercises need to include it too. If they don't, you can get started running them with CultureAI for free below.

Want to measure human risk across your organisation & transform the security decisions your employees make?

Try CultureAI free. Within 30 days your employees will each have a security score allowing you to find the riskiest employees and departments, whilst automated nudges and personalised education will help transform their security decisions.

No committment. Cancel anytime.
The author
James Moore, CultureAI
James Moore
CEO and founder, CultureAI
James is a cyber security expert & GCHQ approved security awareness trainer. He's worked with many of the worlds leading organisations to signficantly improve employee security behaviour and transform cyber security culture. He believes in using technology to support & empower employees to behave securely, at both work and home.
Trusted by

Improve your workforces' security decisions

Start benchmarking and improving your human risk today, free for 30 days