In January, cybersecurity researchers at HackerOne warned of a vulnerability with Twitter that could allow an attacker to acquire the phone number and/or email address associated with user accounts – even if the user had hidden those fields in the platform’s privacy setting. Twitter had responded with a patch, but this month it was reported that the database is now being sold on Breach Forums, a popular hacking forum on the nefarious Dark Web.
According to HackerOne, the database allegedly consisted of 5.4 million users, and included the datasets for celebrities, politicians and businesses. The owner of Breach Forums reportedly verified the authenticity of the leaked data.
“This is just more confirmation that privacy is an illusion for the most part,” warned Timothy Morris, technology strategist at cybersecurity firm Tanium, via an email.
“The ability of this vulnerability to expose someone’s aliases or non-attributable Twitter profiles demonstrates this reality in a powerful way,” explained Morris. “It’s concerning, especially for those in sensitive situations, such as crime victims, political activists/dissidents, and those under the thumb of oppressive regimes. While in this instance, the discovery was responsibly disclosed and addressed, the reality is Twitter handles and identities are a sought-after commodity that can be used to compromise other systems or wreak havoc in someone’s personal life. It’s likely that there are other vulnerabilities yet to be exposed that will yield similar access, so it’s reasonable to expect this trend to continue.”
Facebook Also Targeted In An Attack
It isn’t just Twitter that is in the news this week for a cybersecurity-related issue. Researchers also announced that a new malware operation dubbed “Ducktail” has been targeting individuals and employees who have access to a Facebook Business account.
This particular malware is quite insidious as it steals browser cookies and takes advantage of authenticated Facebook sessions to steal information from the victim’s account. It can ultimately hijack any Facebook Business account.
“As businesses become more aware and resilient to traditional ransomware attacks, cybercriminals will look for new ways to convert successful cyber attacks into ill-gotten financial gains,” said Chris Clements, vice president of solutions architecture at cybersecurity firm Cerberus Sentinel.
“Historically we’ve seen similar attacks on social media accounts such as the Twitter hack in July 2020 that included Elon Musk among over 100 other celebrities that targeted account followers by tweeting out cryptocurrency scams from the compromised accounts, but the directed approach of targeting Facebook business accounts is a new and interesting angle,” Clements continued. “Contrasting with prior social media hijacking that makes itself obvious very quickly by posting links to scams or malware, this campaign is stealthier, looking to modify ad spends or introduce ad fraud.”
Experts suggest that businesses looking to protect themselves must adopt a true culture of security that considers all potential threats as part of their overall cybersecurity risk management strategy, including social media accounts.
“Often, social media accounts are managed by PR or marketing teams with no input or oversight from the cybersecurity teams to ensure that best practices for those accounts include strong passwords, multifactor authentication, and real-time monitoring capabilities to detect potential compromise,” explained Clements. “Still, it’s important for businesses to understand that the risk from this latest threat goes beyond just social media accounts like Facebook. The Ducktail malware steals more info from its victims than just Facebook access that could be used to launch further attacks directed at both the person and business.”
When using social media, many users may not be thinking of the social engineering implications that can arise with too much over-sharing of personal information. However, what people share in posts can paint a very vivid picture of a person – which can then be exploited by hackers.
“This story is just one more example of the success of social engineering used by hackers. Social engineering is the number one cause of most malicious data breaches,” said Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4.
“Nothing else is even close, percentage-wise,” Grimes warned. “Nearly every organization could best improve their cybersecurity defense plans if they focused far more on reducing the likelihood of social engineering compromise. No other single defense could do more to protect an organization against hacking and malware. Every organization should look to see what they can improve in their defense-in-depth plan (e.g., policies, technical defenses, and education) to defeat social engineering. It is because almost no organization appropriately focuses the necessary resources and training against social engineering that allows hackers and malware to be so long-term successful. Hackers love that defenders are distracted and don’t focus appropriate resources on the number one threat.”
Protecting Identity And Data
The security experts warn that even in the context of “social media,” users shouldn’t let their guard down. In fact, this is where users should actually adopt a more secure posture.
“To avoid being victimized, it’s best to operate under the mindset that digital footprints exist everywhere and can never be completely eradicated, and thus, anonymity in the digital realm is a fallacy,” said Morris. “For developers, this vulnerability also shows there’s still a need for proper input validation and ensure that any request is authorized or authenticated. The root of this specific vulnerability is that of improper access control.”
These attacks also show that better authentication tools should be employed by everyone.
“As individuals, we are aware of the personal threats posed by cyber attacks directed against us,” suggested Erfan Shadabi, cybersecurity expert with data security specialists comforte AG.
“As members of businesses and organizations, we know that enterprise data, which is the lifeblood of the corporation, is always a tempting target for hackers,” Shadabi continued. “The recent attack against Twitter should underscore the need for data-centric security such as tokenization or format-preserving encryption to be applied to sensitive data wherever it resides in order to render that data incomprehensible and thus worthless for exploitation. Preventing attacks and breaches is not 100 percent fool-proof, so we can only hope that big techs have instituted the mitigating measures of data-centric security applied directly to data in case that sensitive information falls into the wrong hands.”