Case Study 1: Twitter/X 2020 — Phone Social Engineering Attack on Employees

Background

On July 15, 2020, Twitter experienced a security breach that was extraordinary in both its method and its impact. Within a matter of hours, verified accounts belonging to some of the most prominent individuals and organizations in the world -- including Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, Uber, and cryptocurrency exchange Binance -- began posting messages promoting a Bitcoin scam.

The tweets, which appeared to come from these trusted accounts, typically read:

"I am giving back to my community due to Covid-19! All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000! Only doing this for the next 30 minutes."

Before Twitter could contain the situation, the scam had collected approximately $120,000 in Bitcoin from victims who believed the tweets were genuine.

What made this breach remarkable was not the scam itself -- cryptocurrency scams are common -- but the method of access. The attackers had not exploited a software vulnerability, cracked a password, or deployed malware. They had called Twitter employees on the phone and talked their way into the company's internal systems.

The Attackers

The attack was orchestrated by a group of individuals, with the primary architect being Graham Ivan Clark, a 17-year-old from Tampa, Florida. Two accomplices, Mason Sheppard (19, UK) and Nima Fazeli (22, Florida), assisted with the operation. The group was associated with the broader "OG" (Original Gangster) community -- individuals who trade in valuable social media usernames (short, desirable handles like @6, @dark, @y).

Clark had initially been interested in obtaining desirable Twitter usernames for resale. The Bitcoin scam was an escalation enabled by the level of access he ultimately achieved.

The Attack in Detail

Phase 1: Reconnaissance and Social Engineering Preparation

Before the calls, the attackers conducted reconnaissance to understand Twitter's internal structure:

  • Employee identification: Using LinkedIn, Twitter's own platform, and other sources, the attackers identified Twitter employees who might have access to internal administrative tools
  • Internal tool names: Through social engineering and online research, they learned the names of Twitter's internal tools, including an administrative panel used for account management
  • IT procedures: They gathered information about Twitter's internal IT support processes, VPN access procedures, and password reset workflows
  • Target selection: They identified specific employees in roles that would have access to (or could be persuaded to provide access to) the internal tools needed for account takeover

Phase 2: Vishing (Voice Phishing) Campaign

The core of the attack was a vishing campaign targeting Twitter employees:

  1. Initial contact: The attackers called Twitter employees, identifying themselves as members of Twitter's internal IT team
  2. Pretext: They claimed they were calling about a VPN or system access issue that needed immediate resolution
  3. Credential harvesting: The attackers directed employees to a phishing website that mimicked Twitter's internal VPN login page. The site was designed to capture both the employee's credentials and their MFA token
  4. Real-time relay: As employees entered their credentials into the phishing page, the attackers used those credentials in real time to authenticate to Twitter's actual internal systems

The vishing calls were effective because: - The attackers used correct internal terminology and tool names - The COVID-19 pandemic had recently forced Twitter employees to work remotely, making IT support calls about VPN issues plausible - Remote work also meant employees could not physically verify the caller's identity - The pretext created urgency without being suspicious

Phase 3: Internal Access and Account Takeover

With access to Twitter's internal administrative tools, the attackers:

  1. Explored internal tools: Gained familiarity with Twitter's internal admin panel, which allowed modification of account settings, email addresses, and authentication configurations
  2. Username trading: Initially used access to transfer desirable usernames (OG accounts) to accounts they controlled
  3. Account takeover: Modified the email addresses and disabled MFA on high-profile verified accounts
  4. Escalation to Bitcoin scam: Once they realized the extent of their access, they decided to execute the cryptocurrency scam using the compromised high-profile accounts

Phase 4: The Bitcoin Scam Execution

On July 15, 2020, between approximately 3:00 PM and 7:00 PM ET, the attackers:

  1. Reset account credentials for approximately 130 targeted accounts
  2. Posted Bitcoin scam tweets from 45 high-profile accounts
  3. Accessed the DMs (direct messages) of 36 accounts
  4. Downloaded the Twitter data (account information archive) for 7 accounts

Twitter's response included: - Temporarily preventing all verified accounts from posting - Locking accounts that had recently changed passwords - Disabling internal tools while the investigation proceeded - Working with law enforcement to identify the attackers

Phase 5: Investigation and Arrest

The investigation was swift: - The FBI, IRS Criminal Investigation, and the Secret Service were involved within hours - Blockchain analysis traced the Bitcoin transactions - Digital forensics and cooperating witnesses identified the attackers - Graham Ivan Clark was arrested on July 31, 2020 -- less than three weeks after the attack - He was charged as an adult with 30 felony counts and ultimately sentenced to three years in prison - Sheppard and Fazeli were charged federally

Social Engineering Analysis

Psychological Principles Exploited

The Twitter attack exploited multiple psychological principles:

Authority: The attackers impersonated IT support staff, invoking institutional authority. Employees are conditioned to comply with requests from IT, especially regarding security-related matters.

Urgency: The pretext of a VPN or system access issue created time pressure. Employees working remotely and dependent on VPN access would be motivated to resolve the issue quickly.

Social proof (implicit): The attackers' use of correct internal terminology, tool names, and procedures implied legitimacy. If the caller knows these internal details, they must be legitimate.

Helpfulness: Employees naturally wanted to be helpful and resolve their access issue. The attackers positioned themselves as helpers, making it psychologically uncomfortable to refuse cooperation.

Trust in communication channels: Phone calls from apparent internal numbers carry an implicit trust that emails (which employees are trained to scrutinize) may not.

Why Traditional Technical Controls Failed

The Twitter breach highlighted the limitations of technical security controls against social engineering:

  • MFA was present but defeated: The phishing site captured MFA tokens in real time, rendering the second factor ineffective
  • VPN access controls functioned as designed: The attackers authenticated with valid credentials, so access controls granted entry
  • Internal tool access controls were insufficient: Once inside the VPN, excessive access to internal tools was available
  • Monitoring and alerting gaps: The volume and pattern of account modifications did not trigger alerts quickly enough

Impact and Consequences

Immediate Impact

  • Financial: Approximately $120,000 stolen in Bitcoin
  • Reputational: Massive reputational damage to Twitter's security credibility
  • Political: Concerns about election security (the breach occurred months before the 2020 U.S. presidential election, and compromised accounts included both presidential candidates' parties)
  • Privacy: Access to DMs of 36 accounts, including potentially sensitive private communications
  • Market: Twitter's stock dropped in after-hours trading following the disclosure

Long-Term Impact

  • Regulatory scrutiny: The FTC and other regulators increased scrutiny of Twitter's security practices
  • Industry awareness: The breach became a landmark case study for social engineering risk
  • Policy changes: Twitter and other major platforms reevaluated internal tool access controls, implemented stronger authentication for administrative operations, and enhanced monitoring for suspicious internal actions
  • Remote work security: The breach highlighted security challenges specific to remote work environments

Defensive Lessons

What Twitter Should Have Had in Place

Blue Team Perspective: The Twitter breach exposed critical gaps that organizations should address:

Access Controls: - Implement least-privilege access for internal administrative tools - Require additional authentication for sensitive operations (account takeover, email change, MFA disable) - Implement time-based, just-in-time access for administrative functions - Log and alert on all uses of sensitive administrative capabilities

Authentication: - Deploy phishing-resistant MFA (FIDO2/WebAuthn hardware keys) for all employees - Implement callback verification for IT support requests -- if IT calls you, hang up and call back on a known number - Use unique verification codes for IT support interactions

Monitoring: - Alert on unusual volumes of account modifications - Monitor for mass email address changes across accounts - Implement anomaly detection for administrative tool usage patterns - Flag bulk MFA disablement events

Training: - Regular vishing awareness training with realistic simulations - Specific training for remote work security scenarios - Clear escalation procedures for suspicious IT support calls - Culture of "trust but verify" for all access requests

What the Twitter Breach Teaches About Social Engineering Defense

The Twitter breach demonstrates that:

  1. People are the control that matters most: When social engineering succeeds, every technical control downstream becomes irrelevant. The attacker enters through the front door with valid credentials.

  2. Remote work amplifies social engineering risk: Remote employees cannot verify callers by walking to their desk. IT support interactions that would be verified naturally in an office require deliberate verification procedures in remote settings.

  3. Insider access is the ultimate goal: Social engineering converts an outsider into an effective insider. The technical controls designed to prevent external attacks are useless when the attacker has legitimate internal access.

  4. Young attackers, serious impact: The primary attacker was 17 years old. Social engineering does not require advanced technical skills, expensive tools, or years of experience. It requires understanding human psychology and having the confidence to execute.

  5. Real-time MFA relay defeats traditional MFA: Push-based and code-based MFA are vulnerable to real-time phishing proxies. Only cryptographically bound MFA (FIDO2/WebAuthn) resists this attack.

Discussion Questions

  1. The primary attacker was a 17-year-old with no formal security training. What does this reveal about the skill level required for effective social engineering, and what are the implications for organizational defense?

  2. How did the COVID-19 pandemic and the shift to remote work specifically enable the vishing attack? What changes to IT support procedures should organizations implement for remote work environments?

  3. The attackers captured MFA tokens in real time through a phishing page. Why is this possible with TOTP/push MFA but not with FIDO2/WebAuthn? Explain the technical difference.

  4. Twitter temporarily prevented all verified accounts from posting during the incident. Evaluate this response: was it proportionate, and what were the trade-offs?

  5. The attack began with username trading and escalated to a Bitcoin scam. What does this escalation pattern suggest about access control and the principle of least privilege for internal tools?

References

  • New York State Department of Financial Services (2020). "Twitter Investigation Report."
  • U.S. Department of Justice (2020). "Three Individuals Charged for Alleged Roles in Twitter Hack."
  • Twitter (2020). "An Update on Our Security Incident." Official blog post.
  • Krebs, B. (2020). "Who's Behind Wednesday's Epic Twitter Hack?" KrebsOnSecurity.
  • Hillsborough County State Attorney (2020). "State of Florida v. Graham Ivan Clark." Criminal complaint and charging documents.