Twitter says the hackers used a phone to fool the social media company’s employees into giving them access to accounts.
Two teenagers and a 22-year-old were charged with hacking the Twitter Inc accounts of famous people including former President Barack Obama, billionaire Bill Gates and Tesla Chief Executive Elon Musk, the Department of Justice said on Friday.
Mason Sheppard, a 19-year-old British man who went by the alias Chaewon, was charged with carrying out the hack, as well as related wire fraud and money laundering crimes, according to a Justice Department statement.
Orlando, Florida-based Nima Fazeli, 22, nicknamed Rolex, was charged with aiding and abetting those crimes. The Justice Department did not name the third defendant, but the Hillsborough County State Attorney’s Office in Tampa, Florida said it had arrested 17-year-old Graham Clark.
In a statement, Twitter said it appreciated the “swift actions of law enforcement.”
The FBI said that two of the accused had been taken into custody, without identifying them.
Clark on July 15 posted messages under the profiles that solicited investments in bitcoin, a digital currency, said the Florida State Attorney’s Office. A publicly available ledger of bitcoin transactions showed he was able to obtain more than $100,000 that way.
"The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother"https://t.co/hD4JgBxs9v— Michal Špaček (@spazef0rze) July 18, 2020
Hillsborough County State Attorney Andrew Warren told journalists that his office had filed 30 felony charges against Clark , who was in state custody.
Warren said the adolescent was being prosecuted under state rather than federal law because Florida law enabled the state to charge him as an adult.
“This was a massive fraud orchestrated right here in our own backyard, and we won’t stand for that,” he said.
The hacks led to bogus tweets being sent out on July 15 from the accounts of Obama, Joe Biden, Mike Bloomberg and a number of tech billionaires including Amazon CEO Jeff Bezos, Microsoft co-founder Bill Gates and Tesla CEO Elon Musk. Celebrities Kanye West and his wife, Kim Kardashian West, were also hacked.
The tweets offered to send $2,000 for every $1,000 sent to an anonymous Bitcoin address.
Twitter previously said hackers used a phone to fool the social media company’s employees into giving them access. It said targeted “a small number of employees through a phone spear-phishing attack”.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company tweeted.
After stealing employee credentials and getting into Twitter’s systems, the hackers were able to target other employees who had access to account support tools, the company said.
The hackers targeted 130 accounts. They managed to tweet from 45 accounts, access the direct message inboxes of 36, and download the Twitter data from seven. Dutch anti-Islam legislator Geert Wilders has said his inbox was among those accessed.
Spear-phishing is a more targeted version of phishing, an impersonation scam that uses email or other electronic communications to deceive recipients into handing over sensitive information.
Twitter said it would provide a more detailed report later “given the ongoing law enforcement investigation”.
The company has previously said the incident was a “coordinated social engineering attack” that targeted some of its employees with access to internal systems and tools. It did not provide any more information about how the attack was carried out, but the details released so far suggest the hackers started by using the old-fashioned method of talking their way past security.
British cybersecurity analyst Graham Cluley said his guess was that a targeted Twitter employee or contractor received a message by phone asking them to call a number.
“When the worker called the number they might have been taken to a convincing (but fake) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over their credentials,” Cluley wrote on his blog on Friday.
It is also possible the hackers pretended to call from the company’s legitimate helpline by spoofing the number, he said.