“This could have had a massive, massive amount of money stolen from people, it could have destabilized financial markets within America and across the globe; because he had access to powerful politicians’ Twitter accounts, he could have undermined politics as well as international diplomacy,” said Andrew Warren, Hillsborough State Attorney.
Earlier today, police arrested the gang responsible for the Twitter hacks earlier this month. It's great news and good detective work that they were able to take the perpetrators in so quickly. From the initial reports, there were at least 3 individuals involved in the exploit, including one 17-year old who was described as "not an ordinary 17 year old" by the state attorney.
Phone Spear Phishing Attack
Twitter filled in/confirmed a few details about the attack, characterizing it as a "phone spear phishing attach" that resulted in the breach of account access as well as loss of direct messages for 36 (presumably high profile) Twitter users. I discussed this with Byron Acohido (and others) in The Last Watchdog and the general consensus was that it could have been much worse. If Florida law enforcement has their way, it's about to get much worse for the fraudsters. They seem motivated to use this case to set an example, with possible 10 year/$250,000 sentences.
Throw the book at 'em.
Phishing and Data Access Governance
I was thinking about what 2021 might hold for the data access governance world and went back to see whatever happened to Graham Ivan Clark (aka "mafia boy"). Turns out there was a second accomplice who, at 16, is even younger than Clark. According to the New York Times:
Data loss damages aren't limited to the direct value of the stolen data. They can also be a springboard to far more sinister compromises. As Twitter found out the hard way.
The teenager was known for calling employees of companies, such as Twitter, according to investigators and other hackers. He often posed as a contractor or employee to convince employees to enter their login credentials into fraudulent websites where the credentials could be captured, a method known as voice phishing or vishing. The login credentials made it possible for the hackers to then access the inner workings of the companies’ systems.
After the Twitter hack, the boy became a focus of investigators because he continued to be involved in voice phishing attacks, people involved in the probe said.
“Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks,” federal authorities said in a warning about the ongoing scheme issued in August.