Access Management , Account Takeover Fraud , Card Not Present Fraud

Screams, Porn Interrupt Virtual Hearing for Twitter Suspect

No Password Was Set for Virtual Bail Hearing
Screams, Porn Interrupt Virtual Hearing for Twitter Suspect
Florida Judge Christopher C. Nash reacts as virtual bail hearing for the Twitter hack suspect was Zoom bombed.

Chaos ensued when miscreants interrupted a virtual bail hearing on Wednesday for the suspected Twitter hacker, hijacking the feed with screams, chatter and, for a few brief seconds, pornography.

See Also: Guiding Your Leadership Team Through the Zero Trust Mindset

Graham Ivan Clark, 17, is facing 30 felony charges in connection with a breathtaking takeover of dozens of high-profile Twitter accounts in mid-July. He appeared before the Criminal Court in Hillsborough County in Tampa, Florida. His bail hearing was conducted via Zoom videoconferencing because of ongoing pandemic restrictions, but the court forgot to password-protect the Zoom meeting.

Allison Nixon, chief research officer for the New York-based cybersecurity consultancy Unit 221B, was one of many in the security community who watched the hearing. Her company has been investigating the Twitter attacks.

She says court systems need tech-savvy staff to secure these kinds of proceedings, particularly those involving defendants accused of internet-related crime.

“This defendant's social circle sits at an intersection between cybercrime and gang activity, and when certain names joined the Zoom chat, it was clear something was going to go down,” she says. “I'm just glad the inevitable porn video only had adults. A lot of people were recording that.”

Clark is believed to have used social engineering to gain authentication credentials for an internal Twitter administration panel, which allegedly allowed him to take over 130 high-profile accounts. He has pleaded not guilty to all 30 charges. Also charged are Mason Sheppard, 19, of Bognor Regis, U.K., and Nima Fazeli, 22, of Orlando (see: Twitter Hack: Suspects Left Easy Trail for Investigators).

Forty-five compromised Twitter accounts, including those belonging to former President Barack Obama, Telsa CEO Elon Musk and Microsoft founder Bill Gates, tweeted messages falsely promising to double the number of bitcoins sent to their accounts in return. Clark is accused of collecting at least $117,000 through the sale of compromised accounts and bitcoins received from people who were duped.

A notice in advance of Clark’s hearing went out beforehand: Meeting ID: 989-1719-4197, followed by the phrase “no password required.” The meeting details were contained in public documents, which meant that anyone with those details could join the hearing.

The Zoom meeting for Graham Clark’s virtual bail hearing was not password protected, as seen in this notice

At least 173 people were on the call due to the international media attention around the Twitter attack. Clark was seeking a ruling to reduce his bail, which is set at $725,000, according to his charge sheet.

Interloper: ‘Blem a Zoot’

The disruptions began about 14 minutes into the hearing and continued intermittently. At one point, Clark’s attorney, David T. Weisbrod, was suddenly interrupted by a British accent with a screenname, “Zachariah Z.”

That person played a recording of a humorous series of sentences that has been making the rounds on social media that include the phrase “blem a zoot,” which is British slang for smoking marijuana.

The video then switched to Judge Christopher C. Nash, who shook his head. “Sorry I’m removing people as quickly as I can when a disruption happens Mr. Weisbrod,” Nash said.

“No worries, understood,” Weisbrod said. Weisbrod continued for a few more seconds, describing movements of Clark’s bitcoin funds. Then the view switched again from Weisbrod, showing a clip from the pornographic video site PornHub.

Weisbrod audibly groaned. Nash stammered. “Alright, we’re gonna, we’re just gonna…I’m just gonna end this call. I’m gonna reapply to….,” Nash said.

Then, screams are heard from someone with a screenname of “Avery Jenkins.” The meeting continued later, only to be interrupted by loud music, reports Florida broadcaster WFLA. WFLA also reported that some of the people in the meeting posed as if they were from news organizations such as CNN and the BBC.

Eventually, Nash ruled that the bail amount of $725,000 will stand, according to the Tampa Bay Times. Clark will be allowed to draw on $3 million of his funds, some of which appears to be held in bitcoin, to post bail. Clark is also forbidden from using the internet, the newspaper reports.

Zoom Security Controls

The need to guard against the mistake made by the court should be all too obvious five months after courts, schools and companies have dramatically increased their dependence on video calls as a result of worldwide lock downs in place to prevent the spread of COVID-19.

Zoom surged in popularity, and soon a new term entered the technology lexicon: “Zoom bombing,” when uninvited people who have the right meeting details and crash into a call (see: Fraudsters Take Advantage of Zoom's Popularity).

Part of the success of these kinds of attacks was due to the unfamiliarity by some Zoom users of the controls in place to stop intruders. As a result, Zoom improved its security controls and fixed some security problems. Zoom turned on some security features by default, including protecting meetings with a password and a “waiting room” where a host can vet participants before they join a call.

Hosts can also permanently boot someone from a meeting. In some circumstances, screen sharing is limited to only the host of the meeting, reducing the chance of surprise images. But Zoom does allow users to turn off some of those settings or change their behaviors (see: Zoom Still Addressing Security, Privacy Concerns).

Clark’s future hearings should be more tame. The Tampa Bay Times reported that Judge Nash says the next hearing, scheduled for October, will be password protected.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.