Twitter provided more info on its recent hack. Several of its employees fell for social engineering attacks through the phone. Based on the content of Twitter’s disclosure it’s not quite clear if it was pretexting or vishing that caught several employees who then enabled the attackers to go after those employees with elevated privileges. Was it a vish, (phone link) or just talking employees into giving up the info? KnowBe4’s Chief Hacking Officer, Kevin Mitnick, made pretexting infamous by using quick thinking and persuasive guile to convince target company employees (that usually want to be helpful) to successfully provide the info needed to penetrate the networks:) This is why it is SO important to train your employees so they are not duped into giving away the keys to the kingdom or not to click on phishing /vishing links. Twitter said: "The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7. " The statement from Twitter did not make it clear if was vishing through an sms text link or pure pretexting or talking the employees into giving up the info necessary to get access to accounts through the phone. At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme. What does this mean? In this context, social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information. "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames. "

The HackerNews reported on a flaw found by a security researcher that took advantage of the manage versions revised document feature in GDRIVE. The researcher, Allison Husain, found that you can upload a revised malicious document that will replace the previous safe document and give it the same name and it retains the safe extension. So you could upload any kind of file and it would potentially look like the original PDF. A hacker could send a malware laced spear phish from Google Drive. Potentially allowing for yet another effective cloud based spear phishing attack. Hopefully, Google will patch this one real fast. Google quickly patched another flaw today that allowed spoofing from GSuite which also could have allowed hackers to send out phish from spoofed Gmail accounts! The article says: “Google lets you change the file version without checking if it’s the same type,” Nikoci said. “They did not even force the same extension. Needless to say, the issue leaves the door open for highly effective spear-phishing campaigns that take advantage of the widespread prevalence of cloud services such as Google Drive to distribute malware.”

I rarely answer my phone unless I’m expecting an important call and then I choose to let it go to voicemail. However, in one week period, I made an exception twice and all were social security scams. These call have variations. Usually they tell you there is a problem with your social security account and they are going to disable it unless you. push #1 to talk with an agent. When I spoke the the scammer he actually had my phone number and address which they verbally gave me. Not surprising, since millions of phone numbers and addresses are freely available from data breeches or sold on hacker forums. Because of the "fake agent’s accent, I suspect the caller is likely based in a call center in India or Pakistan but it used a local number which is easily done with a VOIP line. This was pretty obvious one but some people will inevitably fall for it. The BBB is constantly warning about this one.

We want everyone to get the most out of this community, so we ask that you please read and follow these guidelines: Respect each other Keep posts relevant to the forum topic No spamming