As Twitter went through the worst-ever cyber attack on any social media platforms on Thursday, at least 367 users transferred around $1,20,000 (over Rs 90 lakh) to hackers in Bitcoins before the Twitter teams swung into action to stop the cryptocurrency scam that hit several top-notch public profiles.
According to the cybersecurity firm Kaspersky, the major scam flags the fact that we are living in the era when even people with computer skills might be lured into a scammers trap and even the most secure accounts can be hacked.
"In our estimates, within just two hours, at least 367 users have transferred around $1,20,000 in total to attackers. Neither a website/software is entirely immune to bugs nor is the human factor immune to mistakes. Therefore, any native platforms might be compromised," Dmitry Bestuzhev, Cybersecurity expert at Kaspersky, told IANS.
Twitter issues apology
Twitter admitted it was a "coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools".
Twitter CEO Jack Dorsey has also apologized.
"Tough day for us at Twitter. We all feel terrible this happened," Dorsey tweeted after the accounts of major public figures including US Democratic presidential candidate Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Apple and Uber were simultaneously hacked by attackers to spread a cryptocurrency scam.
Arjun Vijay, Co-Founder and COO of Giottus Cryptocurrency Exchange, said such scams have happened in the past but never at this scale.
"It was a well-coordinated attack where multiple accounts got hacked at the same time, with the same tweets directing users to the same scam site," he said in a statement.
"The hacker had complete access to Twitter. He could post anything from any of the official accounts. But he chose to seek Bitcoins through false promises. People should be more careful," Vijay warned.
Paul Ducklin, Principal Research Scientist at cybersecurity firm Sophos said that if Musk, Gates, Apple, Biden or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn't demand that you hand them money first.
"That's not a gift, it's a trick, and it's an obvious sign that the person's account has been hacked. If in doubt, leave it out!" he said.
Cryptocurrency is untraceable
Cryptocurrency transactions don't have the legal protections that you get with banks or payment card companies.
"There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone cryptocoins is like handing over banknotes to in an envelope - if they go to a crook, you will never see them again. If in doubt, don't send it out!" he added.
Some high-level employees at Twitter were targeted by Social Engineering campaigns to gain access to high profile accounts.
"If purely digital companies like Twitter can be breached through social engineering attacks, then other organizations and individuals are not safe either. Cybersecurity is everybody's responsibility and employees can be an organisation's best defence," Himanshu Dubey, Director, Quick Heal Security Labs, told IANS.
(With inputs from IANS)