In January, cybersecurity researchers at HackerOne warned of a vulnerability with Twitter that could allow an attacker to acquire the phone number and/or email address associated with user accounts – even if the user had hidden those fields in the platform’s privacy setting. Twitter responded to the vulnerability with a patch. However, it has been reported this month that Breach Forums is selling the database. Breach Forums is a hacker forum on the dark web.
HackerOne reports that the database had 5.4 millions users. It also contained datasets for businesspeople, politicians, and celebrities. Breach Forums’ owner reportedly confirmed the authenticity of leaked data.
Timothy Morris, a technology strategist for cybersecurity company Tanium, said via email, “This is just another confirmation that privacy can be an illusion for most of the time.”
Morris explained that this vulnerability can expose an individual’s non-attributable Twitter accounts or aliases. “It’s concerning, especially for those in sensitive situations, such as crime victims, political activists/dissidents, and those under the thumb of oppressive regimes. While the situation was appropriately disclosed and resolved, Twitter accounts and identities were a highly-coveted commodity. These can be used in order to compromise systems or cause chaos in individuals’ personal lives. There are likely to be more vulnerabilities that can give access to the same information, and it is reasonable to anticipate this trend continuing.
A Facebook Attack Also Hit
It isn’t just Twitter that is in the news this week for a cybersecurity-related issue. Researchers revealed that the new “Ducktail” malware attack has targeted employees and individuals with access to Facebook Business accounts.
It steals cookies from browsers and uses authenticated Facebook sessions as a way to access the victim’s information. The malware is capable of hijacking any Facebook Business account.
Chris Clements from Cerberus Sentinel, Vice President for Solutions Architecture, stated that cybercriminals will be looking to find new ways to make ill-gotten financial profits as companies become more alert and resistant to ransomware attacks.
Clements said that similar attacks have been made on social media accounts in the past, such as that of Elon Musk’s July 2020 Twitter hack. He tweeted out scams and malware from compromised accounts. However, the targeted approach to targeting Facebook business accounts was a novel one. Contrary to previous social media hacking which made itself very obvious by publishing links to malware and scams, this campaign is stealthier. It aims to change ad spends, or even introduce fraud.
Experts recommend that companies looking to secure themselves need to adopt a culture of cybersecurity that takes into account all possible threats. This includes social media accounts.
Clements stated that social media accounts often get managed by PR and marketing departments without the oversight of cybersecurity teams. “This is because they are not able to make sure accounts have strong passwords, multifactor authentication and real-time monitoring capabilities in order to detect compromise.” Clements explained that businesses need to be aware of the fact that this new threat is not limited to Facebook accounts. Ducktail malware is more than just a Facebook hacker. It can also steal information that could be used for further attacks against the victim and their business.
Social Engineering
Many people don’t realize the potential social engineering consequences of sharing too much personal data on social media. However, what people share in posts can paint a very vivid picture of a person – which can then be exploited by hackers.
This story shows hackers using social engineering to their advantage. Roger Grimes from cybersecurity company KnowBe, a data-driven defense advocate and data-driven security evangelist said that social engineering is number one in most data breaches.
Grimes said that nothing else was even remotely close percentage-wise. The best way for almost every company to improve its cybersecurity defenses is to focus on decreasing the chance of social engineering breaches. There is no single defense that can do more for an organization to defend against malware and hacking. Each organization must examine their defense-in depth plan to find ways to improve (e.g. policies, technical defenses and education) in order to stop social engineering. Hackers and malware are able to thrive long-term because of this inability for organizations to adequately focus resources and training on social engineering. Hackers like it when defenders get distracted and do not focus their resources on the top threat.
Data and Identity Protection
According to security professionals, users need not lose their mind even when they are using social media. This is the place where you should be more secure.
Morris stated that it is best to believe digital footprints are everywhere, can’t be eradicated completely, so anonymity in digital space is an illusion. “To prevent being victimized,” Morris said. For developers, this vulnerability shows that there is still an need to verify inputs and make sure requests are authorized and authenticated. This vulnerability stems from improper access control.
These attacks show us that everyone should use better authentication tools.
Erfan Shadabi is a cybersecurity specialist with Comforte AG. He stated, “As individuals we are conscious of the personal threats cyber attacks posed against us.”
Shadabi stated, “As business and organization members, we understand that enterprise data is the lifeblood of a corporation. This makes it a tempting target to hackers.” The recent Twitter attack should have highlighted the importance of data-centric security, such as format-preserving encryption or tokenization to protect sensitive data. This will make it unintelligible and impossible to exploit. While it is difficult to avoid attacks and breaches, we hope the big tech companies will have the necessary mitigation measures in place for data-centric security that can be applied directly to sensitive data.