By BECKY RUTHERFORD
Los Alamos
On Wednesday, July 15, accounts across Twitter began posting the same message: “Send bitcoins to this bitcoin address and you will get back double the bitcoins!”
Initially, tweets claimed to be linked to a fake charity, “Crypto for Health”.
The first wave of tweets went out from smaller Twitter accounts, and then cryptocurrency CEOs.
Then came the second wave – celebrities and politicians with verified Twitter accounts, including Elon Musk, Kanye West, Jeff Bezos, Bill Gates, Joe Biden and Barack Obama.
Sample image of one of the fake tweets from Twitter. Courtesy image
Twitter had some difficulty stopping the fake tweets, and for several hours the platform disabled all verified accounts. Initial investigations showed that the perpetrators were likely working via compromised Twitter employee accounts, using an internal admin console. How did the attackers get access to these accounts? It was likely social engineering via a phishing email. The attackers were able to trick Twitter employees into carrying out actions that would allow them to access and reveal confidential information.
In all, about 130 accounts were taken over and tweeted out these fake tweets. The bitcoin wallets associated with these scams made at least $120,000 worth of bitcoin.
Twitter has had issues with coin doubling scams before, mostly Ethereum, another prominent cryptocurrency. In previous cases, scammers created fake accounts mimicking the celebrity, and then tweeted, saying they would “double the money” of anyone sending them Ethereum. Of course, anyone who sent in money never received anything back.
The real motives and perpetrators behind the attack remain unclear. At first, it appeared that money was the primary motivation, but Twitter just revealed that at least 8 of those hacked accounts had personal data from the account downloaded via the “Your Twitter Data” tool. This data could include direct messages, tweets, moments, media, followers, address book, accounts you are following, and more.
Twitter is limiting details on the attack, as they continue their investigations and remediation steps. According to the New York Times, the attack was likely not carried out by a “sophisticated group,” but rather a group of young people. This attack is especially alarming given Twitter’s importance as a platform for political discussions, as we lead up to the November elections.
The privacy implications are likewise alarming. If it was this easy for the attackers to access celebrity accounts, how easy would it be for them to access other accounts? Social media accounts may not be as secure as we think, even with protections like strong passwords and two-factor authentication. It makes sense that bad actors would go straight to the source, hacking the humans, and getting access to back end admin tools. This would be exponentially easier than trying to crack passwords and two-factor authentication.
Celebrity social media scams have been around for quite some time, though the involvement of cryptocurrency is a newer twist. If a “celebrity” reaches out to you via social media, or tweets, or posts something that seems too good to be true- it is a scam. You can’t trust social media; anyone could create an account claiming to be a celebrity, add pictures grabbed from the internet, etc. If you see a post on Facebook offering to “double your money” or offering prizes, it’s a scam. Do not interact with the account and report it to the social media site so they can investigate it.
In addition to social media scams, you might also receive an email from a celebrity, like Reba McEntire. A recent scam reported out of South Carolina involved a woman who received an email from someone claiming to be Reba McEntire. Again, this is a common scam “the Celebrity scam,” where people pose as a celebrity and send out blind emails to many people, hoping to find a fan. If you get an email claiming to be from a celebrity, ask yourself- why would this celebrity be contacting me? The answer is- they wouldn’t be. Don’t reply or interact in any way; delete it from your inbox.
Be careful who you trust on social media; remember that anyone can pretend to be anything they want on the internet. If something seems too good to be true- it is too good to be true, it’s a scam do not click or otherwise interact with it. Report it if you can, and ignore it and move on to more important things, like cat videos.
Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.