Strengthening The Weakest Link To Prevent Social Engineering Attacks

September 24, 2020

Twitter Inc. recently experienced its worst security breach in its 14-year existence. A number of high-profile Twitter accounts were hacked, including the accounts of former President Barack Obama, former Vice-President and current presidential candidate Joe Biden, Bill Gates, Elon Musk, and Warren Buffett.

The hacked accounts posted invitations for what appeared to be a Bitcoin scam. The promoted Bitcoin wallets collected around $120,000 in cryptocurrency. Twitter blocked posts from all verified accounts in response.

Twitter stated that it detected "a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."

Twitter is trying to determine if the internal attack occurred because cybercriminals tricked employees with sophisticated phishing attacks or if employees deliberately gave hackers access to high-profile accounts.

Some cybersecurity experts believe that there is more to the attack than a cryptocurrency scam. They suggest the cybercriminals might have hacked high-profile accounts to distract from their stealing sensitive information, such as private personal messages or other confidential data that they will use later.

Twitter will likely look into employee logs, email, and phone records to determine if a failure in the authentication process allowed hackers access. The organization will also likely investigate what other data might have been compromised. Jamie Tarabay "Twitter Races to Unravel How Cyber-Attack Came From Inside" bloomberg.com (Jul. 16, 2020).

 

Commentary

All organizations, as well as individuals and families, are potential targets of social engineering. Social engineering attacks occur against CEOs as well as against home buyers purchasing their first home.

With social engineering attacks, cybercriminals either trick or manipulate employees into (knowingly or unknowingly) sharing confidential information or performing desired actions.

Social engineering attacks can include phishing campaigns, but also old- fashioned bribery and blackmail. 

In the above matter, one of the possibilities is that employees may not have been tricked but may have willingly provided their credentials to the criminals. Often the incentive involves promises, threats, or money.

No matter how the hack was accomplished, humans are the weakest link to cybersecurity.

The best way to prevent human negligence of any type is training. Employers should train employees to never respond to suspicious emails or phone calls and to notify your information technology department immediately if they believe they are the target of a social engineering attack.

Finally, create a written policy that states that any employee who knowingly shares information with a third party without authorization will face disciplinary and legal action.

Finally, your opinion is important to us. Please complete the opinion survey:

News

Credential Stuffing: A Singular Reason Why You Need To Have Different Passwords For Your Accounts

The FBI warns businesses of the growing threat of compromised login credentials. User password behavior is a big part of the cause. We examine. Read More

Is Having A "Gold Image" The Key To Defeating Ransomware?

A hospital employer says a cyberattack led to the death of a patient. Read how quality backups keep clients safe and allow you to say "no" to paying cybercriminals. Read More

Cybersecurity Training Remains Important Even In Lockdowns

Minimizing administrator privileges and conducting annual training are two ways to keep data safe. Learn more. Read More