A few days ago on the Twitter platform on behalf of verified accounts, including: Apple, Uber, Changpeng Zhao (Binance), Vitalik Buterin (Etherium), Charlie Lee (Litecoin) Elon Musk, Barack Obama, Joe Biden, Bill Gates, Jeff Bezos and others - messages were posted with the address of a bitcoin wallet, in which scammers promised to double the amounts transferred to this wallet.
The original content of the messages: “Feeling grateful doubling all payments sent to my BTC address! You send $1,000, I send back $2,000! Only doing this for the next 30 minutes.”
Translation: “I would be happy to double all payments sent to my BTC address! If you send 1000 dollars, I will send 2000 dollars! But only for the next 30 minutes.”
At the moment (July 17) the address of the scammers was replenished for 12.8 BTC (≈ $117), 000 transactions were made with his participation.
Apparently, the attack was carried out by attackers who are closely associated with a community that specializes in SMS spoofing attacks to compromise two-factor authentication.(SIM swap scam). So, shortly before the mass mailing on Twitter, on the website https:// ogusers . com posted a message, the author of which sold email address of any Twitter account for $250.
A little later, some accounts with “notable” addresses were hacked, one of the first such accounts was the @6 account of the “homeless hacker” who died in 2018 Adriana Lamo. The account was accessed using Twitter's administrative tools by disabling two-factor authentication and spoofing the email address used to reset the password.
The @b account was stolen in the same way. The stolen Twitter account and administrative tools were captured on this picture. All posts on the platform itself with snapshots of the admin tools have been removed by Twitter. Extended snapshot of admin panel is available here.
One Twitter user, @shinji (now blocked), posted a short message: "follow @6" and also a photo admin tools.
Archival records of @shinji's profile have been preserved shortly before the hacking events. They are available at these links:
- https://archive.vn/Abr3l
- http://archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion/Abr3I
- http://archive.is/YGS0T
- http://archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion/YGS0T
The same user owns the "remarkable" Instagram accounts - j0e and dead:
- https://www.instagram.com/j0e/
- http://rlp5gt4d7dtkok3yaogocbcvrs2tdligjrxipsamztjq4wwpxzjeuxqd.onion/u/j0e
- https://www.instagram.com/dead/
- http://rlp5gt4d7dtkok3yaogocbcvrs2tdligjrxipsamztjq4wwpxzjeuxqd.onion/u/dead
Approvedthat the j0e and dead accounts belong to the notorious SMS scammer "PlugWalkJoe", who is suspected of running major SMS spoofing attacks for several years. It is also alleged that he was, and possibly still is, a member of the ChucklingSquad SMS scammers and was likely involved in Twitter CEO Jack Dorsey hacked last year. Jack Dorsey's account was hacked after sms spoofing attacks on AT&T, the same group "ChucklingSquad" is responsible for the attack
Outside of the PlugWalkJoe network, it appears to be a 21-year-old British student, Joseph James Connor, who is currently in Spain unable to travel due to the COVID-19 situation.
PlugWalkJoe was the subject of an investigation during which an investigator was hired to establish contact with the subject. The investigator managed to establish a video link with the object, negotiations take place against the backdrop of a swimming pool, a photo which was later published on behalf of Instagram j0e.
By the way, there is a rather old minecraft account plugwalkjoe.
Note: The investigation has not been completed. Until the end of the investigation, you should not stigmatize anyone, since it is possible that @shinji is just a figurehead.
The first malicious message that became widely known was published on July 15 at 17:XNUMX UTC on behalf of Binance, it had the following content: "We have partnered with CryptoForHealth and are giving back 5000 BTC." The message contained a link to a scam site that accepted "donations." Soon on the official website of Binance, it was published rebuttal.
According to Twitter support, “We have detected a coordinated social engineering attack against our employees who have access to internal tools and systems. We are aware that attackers used this access to take control of popular (including verified) accounts in order to post messages on their behalf. We continue to study the situation and try to determine what other malicious actions were committed and what data they could have accessed.
As soon as we became aware of the incident, we immediately suspended the affected accounts and removed the malicious messages. In addition, we have also limited the functionality of a much larger group of accounts, including all verified ones.
We have no evidence that user passwords have been compromised. It appears that users are not required to update their passwords.
As an additional precaution and to ensure the safety of users, we have also blocked all accounts on behalf of which attempts to change the password have been recorded in the last 30 days.
On July 17, the support service released new details: “According to reports, approximately 130 accounts were affected in one way or another by the attackers. We are continuing to investigate whether non-public data has been affected and will publish a detailed report if it has.
Meanwhile, Twitter shares collapsed by 3.3%.
Source: linux.org.ru