A large-scale hack of Twitter accounts, typically those with millions of followers, is part of a bitcoin scam.
The hacked accounts asked followers to send bitcoin currency to a cryptocurrency wallet, with the promise that the sender would double it. Many of them promised to use the funds in Covid-19 relief.
It seems that Twitter followers were quick to fall for the scam, and hundreds of transactions were recorded.
It appears that the perpetrators were able to access Twitter’s administrative tools, altering the accounts and posting the tweets.
Elon Musk’s account was the first to post the scam, followed by Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Warren Buffet, Kim Kardashian and other high-profile people.
Companies like Apple and Uber were among those also compromised.
Despite the messages being deleted, many were reposted, until Twitter disabled some accounts to tweet or reset their passwords.
Individuals who say they were involved in the scam claim to have gained access to a Twitter administration tool that allowed them to change account level setting.
Dmitry Bestuzhev, cybersecurity expert at Kaspersky, comments: “This major scam flags the fact that we are living in the era when even people with computer skills might be lured into scammers trap, and even the most secure accounts can be hacked.
“To our estimates, at current, at least 367 users have transferred around $120 000 dollars in total to attackers.”
Cybersecurity is undoubtedly one of the top priorities of all major social media platforms, and they put efforts in preventing many attacks every day, he adds. “However, neither website or software is entirely immune to bugs, nor is the human factor immune to mistakes. Therefore, any native platforms might be compromised.
“Today we see how, along with new attack vectors, scams combine old and effective techniques, to use a surprise element and gain people’s trust to facilitate the attack and lure victims into a trap. For instance, it might be a mixture of supply chain attacks with social engineering.
“In addition, the threat actors might gain access to victim’s account in other ways: for instance, it can be penetrating a third-party app with access to the user’s profile, or user’s password might be brute-forced.”
Bestuzhev adds that users shouldn’t panic, but rather accept a new mindset: “For social media accounts users require a responsible approach and thorough protection, but we are not lambs to the slaughter.
“This incident might mean we all need to take some time to reassess our approach to our relationships with social media and accounts security, but once we do it, it will become evident that we possess knowledge and instruments to recognise even the most elaborate scam and minimise its impact.”