What is the difference between phishing and spear phishing? Lessons from the Twitter hack

The Twitter hack was one of the most serious cyberattacks of the year. The result of an elaborate spear phishing attack, the Twitter bitcoin scam exploited the image of notorious individuals and companies. The attackers targeted Twitter employees and managed to get their login credentials, gaining access to highly confidential data. How could a phishing attempt go uncovered in a tech company? Many think phishing can trick only gullible people, but there are many forms of phishing, some of them quite complex: spear phishing, whaling, angler phishing. In what follows, we look at the differences between phishing and spear phishing, and what we can learn from the biggest hack in Twitter’s history.

How did the Twitter hack unfold?

On July 15th, the attackers managed to access the Twitter accounts of high-profile individuals and companies, including public figures such as Bill Gates, Barack Obama, and Elon Musk. They tweeted from 45 accounts, asking followers to send bitcoin to a cryptocurrency wallet and promising to reward participants with double the amount in return. As they were coming from prestigious accounts with thousands of followers, the scam tweets were successful.

Although Twitter acted swiftly, more than $110,000 worth of bitcoin was deposited into the attackers’ bitcoin wallets. The tweets promoting the bitcoin scam were up for around two hours, and more than 320 transactions took place.

Image of the scam tweet posted by hacker Kirk#5270 from Apple's official account
The scam tweet posted by hacker Kirk#5270 from Apple’s official account

Who is behind the Twitter bitcoin scam?

Last Friday, the hacker behind the Twitter attack was found by authorities: Graham Ivan Clark (aka Kirk#5270), a 17-year-old from Tampa, Florida. He got in touch with at least two other hackers through Discord and ogusers.com, a popular hacking forum: 22-year-old Nima Fazeli (aka Rolex, Rolex#0373, and Nim F), and 19-year-old Mason John Sheppard (aka Chaewon and ever so anxious#001). The accomplices agreed to help Clark sell highly demanded Twitter accounts in exchange for a cut from each transaction.

Hackers thrive by stealing accounts and selling them on the dark corners of the internet. They steal the login details, get the rightful owners locked out of their accounts, and then put the accounts up for sale on hacker forums such as oguser.com. In a discussion with journalists from The New York Times, they said someone was willing to pay the bitcoin equivalent of $1,500 for the Twitter handle @y. One-letter and one-word Twitter handles are very popular among hackers, and the group managed to sell @dark, @w, @l, @50, @vague for hefty prices. Independently of the high-profile accounts hacked to promote the bitcoin scam, there was money to be made from selling popular Twitter handles.

FBI got access to a database that was leaked earlier this year when ogusers.com was breached and worked with Coinbase cryptocurrency exchange to obtain information about the bitcoin addresses that the suspects shared on the forum. Some of the suspects accessed the forum and Coinbase from the same IP, so it was just a matter of time until they were tracked down.

How was the Twitter hack possible?

Twitter is conducting its own investigation to figure out how the hack happened and declared that the social engineering attack “targeted a small number of employees through a phone spear phishing attack”. The hackers managed to get sensitive information that helped them obtain access to the company’s account management tools. While not all the targeted employees had access to tools used to manage Twitter accounts, the Clark used his first victims to get to those employees with special access rights. From Clark’s collaborators, journalists found out that he also managed to get into Twitter’s Slack channels, where he found login details shared in Slack conversations.

The hacker behind the Twitter bitcoin scam knew how to exploit the current situation. Since many employees have been working from home because of the COVID-19 pandemic, many communication patterns have changed. It is more likely that someone would respond to a phone request now that most communication takes place on the phone or through messaging apps. Employees might make exceptions and share sensitive information through channels they were not using before for this purpose. The COVID-19 pandemic was a fertile ground for cyberattacks, especially mobile phishing attempts, which increased significantly over the past few months.

This shows how dangerous spear phishing can be for an organization. If only one member discloses seemingly harmless information, this can be corroborated with other information, enabling hackers to find their way to the organization’s internal network.

What is the difference between phishing and spear phishing?

Phishing is an untargeted attack, usually conducted by email, through which scammers try to get sensitive information from their victims: login details, credit card details. For example, a scammer can request login details using a fake login page.

Spear phishing is a targeted attack where scammers contact victims using personalized messages, usually via email, with the goal of tricking them into sharing confidential information. Although phishing and spear phishing scams have the same goal, the methods used in spear phishing attacks are more complex. Unlike phishing, which is aimed at a broad, unspecific audience, spear phishing is focused on a well-defined group of people. Scammers gather information by examining the online presence of targeted victims, looking at everything from social media profiles to comments on public forums. Once enough data is collected, skilled scammers can construct a highly credible message.

What other types of phishing attacks are there?

While the common perception is that only credulous people fall prey to phishing, it’s not out of the ordinary for experienced internet users to get scammed. In its most basic form, phishing doesn’t target specific groups; it is spread just like spam to all the email addresses the scammers manage to collect. But the more elaborate forms of phishing are carefully crafted attacks, such as spear phishing, whaling or angler phishing, where hackers get access to personal data and use it to make their messages seem legitimate. A moment of negligence and hackers get their way.

What is whaling?

It is not yet clear how the hacker reached the employees who had access to the account management tools, but it could have been a tactic like whaling. Whaling is an effective form of phishing where scammers post as senior staff, often C-level executives, exploiting the psychological tendency to conform to authority. Using the name of a senior executive, the hackers email employees from a fake domain name that appears legitimate and request confidential data. Other times, they ask the employees to transfer funds from a corporate account to a fake account. They pretend it’s an urgent matter that requires immediate action. Since there are no links or attachments, it is harder for the SPAM filter to pick up whaling emails, especially if the content is carefully crafted.

What is angler phishing?

Angler phishing is targeting social media users. Scammers set up fake customer service accounts for real businesses, mostly financial services or e-commerce sites, and get in touch with customers on social media. They pretend to offer help with a request or ask users to verify their accounts; they send users to a fake landing page where they must first enter their login details. Another method to get access to sensitive information is through sharing malicious links through instant messaging.

How can you protect yourself from spear phishing attacks?

Social media is a common way for scammers to gather information. You should make sure your public posts contain as little personal information as possible or, better yet, make your social media profiles private. When using internal communication tools, try to stick to company protocols and do not share passwords through internal messaging channels such as Slack or Microsoft Teams. The Twitter hack gave us one important lesson: each person is responsible for the safety of the organization. In your workplace, talk to your colleagues about any concerns you have and be extra careful with emails that seem suspicious, even if the name of the sender is known to you. You should check the full email address, including the domain name, and take a careful look at the links included. On our blog, you can find more tips on how you can protect yourself against spear phishing and generic phishing attacks.