Account Takeover Fraud , Cybercrime , Cyberwarfare / Nation-State Attacks
Hey Jack, How Was Your Account Hacked?
Erratic Storm of Tweets Traces to Serial Takeover Artists 'Chuckling Squad'Twitter CEO Jack Dorsey's account on the social media service was hijacked and used for a short period of time on Friday to issue racist and profanity-laden tweets.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
The embarrassing security lapse comes in the midst of ongoing public debate over Twitter's efforts to counter the use of its platform by white supremacists, racists and anti-Semites. Together with other social media platforms, Twitter also continues to be used by foreign nation-states as part of disinformation campaigns, including attempts allegedly run by Moscow to interfere in the 2016 U.S. presidential elections (see Facebook and Twitter Scuttle Hong Kong Disinformation).
Before Twitter regained control of its CEO's @jack account on Friday, hijackers had used it to issue a variety of tweets, including reposting a tweet by a Holocaust denier as well as claiming there was a bomb at the headquarters of the San Francisco-based technology giant.
The erratic tweets began to appear at 12:44 p.m. Pacific Time, and disappeared about a half hour later, when Twitter says it regained control of the account.
The account is now secure, and there is no indication that Twitter's systems have been compromised.
— Twitter Comms (@TwitterComms) August 30, 2019
Twitter blamed the account hijacking on a third party.
“The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter says in a statement. "The account is now secure, and there is no indication that Twitter's systems have been compromised."
Twitter has declined to name the mobile provider or provide further details about how its founder's account came to be compromised.
The individual or group behind the attack appears to be the "Chuckling Squad." Some tweets included a link to a chat room being hosted on a Discord server - a freeware VoIP, text and image-sharing platform often used by gamers in real time while they're engaged in multi-player gaming. In the chat room, a user named "Aqua" previewed something happening to Twitter, followed by reposts of some of the tweets made via Dorsey's account, until the Discord server went offline after 1 p.m. Pacific Time, the Guardian reported, saying it had briefly gained access to the server before it disappeared.
This isn't the first time that Dorsey's account has been compromised. In 2016, under the banner of "OurMine," the group of allegedly Saudi Arabian hackers took over Twitter accounts for Dorsey - and also Twitter co-founder Evan Williams and former CEO Dick Costolo - as well as Facebook CEO Mark Zuckerberg, Google CEO Sundar Oichai, and Netflix's U.S. account (@netflix), among others. OurMine used the takeover to advertise its hacking services, and has continued to be tied to fresh hack attacks (see Hackers Deface Popular Videos Published by Vevo).
After founding Twitter in 2006, Dorsey returned to the helm in 2015, although he continues to serve as CEO and chairman of Square, which he also co-founded. Last year, Dorsey committed to ensuring Twitter would "help increase the collective health, openness, and civility of public conversation, and to hold ourselves publicly accountable towards progress."
Clues to Chuckling's Tactics
With Twitter declining to share further details, speculation over how attackers hijacked Dorsey's account remains rife.
One potential clue is that the errant tweets include a Twitter label saying they've been posted via Cloudhopper. That was a service Twitter purchased in 2010 that allows users to post tweets of up to 160 characters via text messages, typically sent to a short code such as 40404 from a phone number linked to an account.
Numerous cybersecurity news outlets and bloggers such as Brian Krebs have suggested that the attack may have been accomplished via SIM swapping. Such attacks involve third parties gaining control of a target's mobile phone number, which could then allow them to access any service that uses that phone number for security operations - for example, to reset account passwords (see Alleged SIM Swappers Charged Over Cryptocurrency Thefts).
Chuckling Squad appears to have form for such attacks. Notably, the group has used them at least 10 times previously to hijack accounts and post racist and profanity-laden tweets to the accounts of such social media personalities as "Shane Dawson, James Charles, Etika, Shroud, King Bach, Amanda Cerny and many others," gaming news site Treyex Hub reported last week.
Second time My phone number was hacked because of human error within company at @ATT ?! I have all possible steps of verification added after the first time again and my account was still compromised... time to switch carriers. Be careful out there everyone.
— Amanda Cerny (@AmandaCerny) August 23, 2019
The news site noted that Chuckling Squad appears to be run by Aqua.
Dorsey Uses Multi-Step Verification
Dorsey has previously stated that he uses two-factor authentication to secure his account. In his written testimony to the Senate Select Committee on Intelligence, for its Sept. 17, 2018, hearing on "Foreign Influence Operations Using Social Media," Dorsey wrote that he uses two-factor authentication, although declined to say if it was tied to a security hardware key, which Twitter began supporting in June 2018 (see Facebook, Twitter Defend Fight Against Influence Operations).
But in his testimony, Dorsey noted that overall two-factor authentication uptake for Twitter accounts remained scant. "A relatively small number of people using Twitter within the United States have two-factor authentication enabled," he wrote.
If Dorsey was a two-factor authentication user - but still got hacked - that raises the question of whether other high-profile users' accounts might also be susceptible to takeover, despite their use of additional security capabilities on offer. One prominent Twitter user, for example, remains U.S. President Donald Trump, whose tweets have the power to move markets - not always in an upward direction - as well as influence geopolitical discussions.
Some 'Authentication' is Better Than Others
Twitter offers multiple options for securing accounts, beyond passwords, including using a mobile phone number as a second factor - via SMS. Alternate options include using a mobile authentication app or logging in with a hardware key, such as a Yubikey.
In the wake of the hijacking of Dorsey's account, numerous experts have repeated their longstanding recommendation to avoid any security measures that rely on a personal mobile phone number - and in particular to avoid building or using SMS-based two-factor authentication systems, noting that mobile network providers and their SMS networks remain a weak link. Likewise, attackers can develop malware - as has been seen in the past on Android devices - that can intercept one-time codes sent to mobile devices via SMS, and route them instead to attackers.