Kaspersky comment: Twitter confirms cryptocurrency hack
July 2020 by Dmitry Galov, security researcher at Kaspersky
Following the news that Twitter Confirms it was Hacked in an Unprecedented Cryptocurrency Scam, Dmitry Galov, security researcher at Kaspersky, has provided advice on how to recognise social media scams, and how to maximise the protection of your account.
“Hacking into popular accounts to publish scam messages isn’t a new practice, neither is the doubling the donation scam. What is curious in this case is the scale of the attack and the fact that the actor completely took over the verified accounts - their emails have been changed, so the owners aren’t able to get access back quickly enough. This scam was extremely effective - the amount gathered from the victims now equals over 120 000 USD, and this is just in one day. I think there are two major takeaways from this incident. First, users need to be aware of scams and stay cautious on social media; they need to be able to recognise them. Second, we need to be extra careful with our online assets—anything critical has to have, at a minimum, two-factor authentication,” commented Dmitry Galov, security researcher at Kaspersky.
To recognise scams in social media, keep in mind the following:
• The most important element of every scam is a time limit. Not only does it prevent a victim from conducting a thorough check on the matter, but it also adds some psychological pressure on the user, making it easier for them to overlook details. Being afraid of missing a great opportunity, even the most careful people might be seduced into taking a risk and falling for the attackers’ trick.
• In this case, the scam has also been thoroughly tailored to the personality of the owner or the tone of voice of the hacked account, which made it seem legitimate. Criminals might even go further and illustrate the scam with an authentic-looking design or use deepfakes. One must always keep in mind that official campaigns or even individual initiatives of such scale always have prescriptive documents to support even the briefest promo offer, and these are placed outside of social media. In addition, the financial part is usually more transparent and not tied to private bitcoin wallets.
• Remember that it is highly unlikely that any official enterprise or established individual will ask you to transfer money, even to return to them later or as a joke due to possible issues with taxes and financial reporting.
To maximise the protection of your account in social media, keep in mind:
• While it is absolutely essential to have a strong password, it should also be unique, so that if other website leak your credential, your accounts remain safe. To create safe and complicated passwords for each website, use memory techniques or a password manager.
• Use two-factor authentication—where your login and password need to be confirmed by entering a special code. Furthermore, consider not using a text message to receive this code, as it can be hijacked, but an app that generates such codes. Alternatively, use a physical key, connected to the separate device through USB-cable or NFC.
• Another security measure that needs to be taken is a thorough review of the apps that have access to your Twitter account. They can be found in the Twitter account settings. We recommend revoking access to your account from all of them, or the ones that you don’t consider thoroughly protected, so that, in the event of a hack, your account can’t be reached.
• Start using “Privacy Checker” to help make your social media profiles more private. It will make it harder for third parties to find highly personal information.