According to the NYT and to Wired, Graham Ivan Clark, 17, was charge with 30 felonies and arrested in his Tampa home early Friday and two other peoples have been charged because authorities says it ran a scam scheme that targeted the accounts of celebrities, including the accounts of celebrities like former President Barack Obama, former Vice President Joseph R. Biden Jr. and Elon Musk. Court documents show about 415 payments to the bitcoin wallet associated with the scam, totaling around $177,000.
The teenager broke into Twitter’s network using a phone spear phishing attack on an employee but it was enough to get through the company’s corporate two-factor protections. In a phishing attempt, scammers make it look like they are from a legitimate company. And when they call or email with specific details about the personas that they call that is spear phishing. Spear phishing is highly targeted and targets a single individual. It is a personal attack. A spear phishing attacker is after someone in particular. The attack granted a privileged access to internal Twitter systems and the attackers used to reset accounts passwords. The attackers tweeted from 45 of the accounts, gained access to the direct messages of 36 accounts, and downloaded full information from seven accounts.
A first interesting observation on the Twitter attack is that while it garnered major headlines, the social engineering attack at the heart of it is nothing new. As pointed out by Allison Nixon, chief research officer with firm Unit 221B, which assisted the FBI in the investigation. “In terms of the modus operandi, MO, of breaking into companies and then using the employee tools to perpetuate fraud, that is just another day for these guys. This exact same MO was used against Telcos for years prior to this.”
An even more interesting point is that most comments praise the kid and suggest he works as a security consultant. This reveals much about cyber security because it further confirms that most comments do not appreciate the difference between a system that is so vulnerable that even a kid can crash it and a consultant that should analyze a system and suggest cost effective countermeasures. As someone said sometime ago, computer science is the only field that cannot distinguish a breaker from an architect.
Most OT systems include legacy equipment not designed to be connected to the internet nor defend against malicious cyberactivities. This is particularly