- Joined
- May 15, 2016
- Messages
- 14,570
- Likes
- 2,645
- Points
- 1,730
Published court materials describing the break-in and subsequent investigation.
As SecurityLab previously reported , on Friday, July 31, US authorities indicted three young men for mass hacking of celebrity Twitter pages. There is a lot of scattered information about the incident in the media, including statements by the administration of the social network itself, but information about how exactly the attackers managed to hack 130 accounts (according to Twitter, the scammers carried out a phishing attack on employees using"Human weaknesses") and how they were caught were not reported. Now, thanks to the indictments published by the US Department of Justice, a picture of how the break-in took place and the investigation was carried out.
According to court documents, the attack began on May 3, 2020, when Graham Ivan Clark, a 17-year-old California teenager from Tampa, Florida, gained unauthorized access to part of the internal Twitter network. This access remained with him until July 16. After infiltrating the network, Clark, using the alias Kirk, quickly took over the internal administration tools that were later used to hack accounts.
However, according to a New York Times article a few days after the attack, Clarke first gained access to the Slack messenger workspaces used by social media employees, rather than Twitter itself. As the journalists of the publication reported with reference to representatives of the hacking community, in one of the Twitter channels in Slack, the attacker found credentials for an internal administration tool. Screenshots of the tool's interface were published on the darknet the day after the hack.
Because Twitter admin accounts are protected by two-factor authentication, credentials alone were not enough to access them. According to representatives of the social network, the attackers used "targeted phishing by phone" against its employees. How long it took Clark to “process” the employees is hard to say. However, according to a Twitter post, it happened on July 15 - the same day as the hack.
According to the FBI's discord messaging, Clark turned to two unauthorized persons for help in monetizing the access. On the OGUsers' Discord channel, Clark found 22-year-old Nima Fazeli, known as Rolex, and 19-year-old Mason Sheppard, using the pseudonym Chaewon. He invited them to participate in the Twitter hack and, as proof that he did have access to the administration tools of the social network, changed the settings of the Fasely page. In addition, Clark sold Sheppard access to a number of Twitter short names (@xx, @Dark, @Vampire, @obinna, and @drug).
The Trinity began to actively advertise access to Twitter accounts on the OGUsers forum. Apparently, they managed to sell access to several more people who are now wanted by law enforcement agencies. It was one of these people who used the acquired access to post fraudulent tweets about the Bitcoin giveaway on celebrity pages.
According to court documents, 12.83 bitcoins (about $ 117 thousand) were transferred to the cryptocurrency wallet indicated by the fraudster. On the day of hacking kriptovalyutnoy Exchange Administration Coinbase took avoid fraudulent transactions and blocked the transfer to the bitcoin address, there thus preventing translation of an additional $ 280 thousand.
It is noteworthy that in the investigation of the incident the FBI used the database offline OGUsers, leakedin open access in April this year. Unfortunately for the hackers, it contained their email and IP addresses, as well as personal correspondence.
With the assistance of the US Internal Revenue Service, law enforcement officers received data from the Coinbase administration on the cryptocurrency wallets involved in the case, including those that the trinity mentioned earlier in the correspondence in the Discord messenger and on the OGUsers forum. By comparing information obtained from three sources (Coinbase, Discord and OGUsers), law enforcement officers were able to identify the email and IP addresses of the persons involved in the case and establish their identity.
However, the user "Habr" under the pseudonym ashotog, having carefully read the available case materials, doubtedin how Mason Sheppard was calculated. If the email addresses of Clark and Fasely did show up in the OGUsers leak, then Sheppard is not so smooth.
According to a report by Tigran Gambaryan, an agent of the US Internal Revenue Service, Mason's email address ( masonhppy@gmail.com ) was also found in the leaked OGUsers forum database. However, according to ashotog, there is no such address. Moreover, he has not appeared in any of the leaks he analyzed over the past few years (and this is more than 30 billion records).
“It turns out that the special agent is not saying something in his report. Either he has access to a database, information about which he has no right to disclose (for example, access to the Coinbase database in real time for IP searches), or Mason Sheppard was found in another way (for example, through a request to the British provider TalkTalk Communications Limited "from whose network the hacker" sat ") and for some reason this also cannot be disclosed,” writes ashotog.
__________________
As SecurityLab previously reported , on Friday, July 31, US authorities indicted three young men for mass hacking of celebrity Twitter pages. There is a lot of scattered information about the incident in the media, including statements by the administration of the social network itself, but information about how exactly the attackers managed to hack 130 accounts (according to Twitter, the scammers carried out a phishing attack on employees using"Human weaknesses") and how they were caught were not reported. Now, thanks to the indictments published by the US Department of Justice, a picture of how the break-in took place and the investigation was carried out.
According to court documents, the attack began on May 3, 2020, when Graham Ivan Clark, a 17-year-old California teenager from Tampa, Florida, gained unauthorized access to part of the internal Twitter network. This access remained with him until July 16. After infiltrating the network, Clark, using the alias Kirk, quickly took over the internal administration tools that were later used to hack accounts.
However, according to a New York Times article a few days after the attack, Clarke first gained access to the Slack messenger workspaces used by social media employees, rather than Twitter itself. As the journalists of the publication reported with reference to representatives of the hacking community, in one of the Twitter channels in Slack, the attacker found credentials for an internal administration tool. Screenshots of the tool's interface were published on the darknet the day after the hack.
Because Twitter admin accounts are protected by two-factor authentication, credentials alone were not enough to access them. According to representatives of the social network, the attackers used "targeted phishing by phone" against its employees. How long it took Clark to “process” the employees is hard to say. However, according to a Twitter post, it happened on July 15 - the same day as the hack.
According to the FBI's discord messaging, Clark turned to two unauthorized persons for help in monetizing the access. On the OGUsers' Discord channel, Clark found 22-year-old Nima Fazeli, known as Rolex, and 19-year-old Mason Sheppard, using the pseudonym Chaewon. He invited them to participate in the Twitter hack and, as proof that he did have access to the administration tools of the social network, changed the settings of the Fasely page. In addition, Clark sold Sheppard access to a number of Twitter short names (@xx, @Dark, @Vampire, @obinna, and @drug).
The Trinity began to actively advertise access to Twitter accounts on the OGUsers forum. Apparently, they managed to sell access to several more people who are now wanted by law enforcement agencies. It was one of these people who used the acquired access to post fraudulent tweets about the Bitcoin giveaway on celebrity pages.
According to court documents, 12.83 bitcoins (about $ 117 thousand) were transferred to the cryptocurrency wallet indicated by the fraudster. On the day of hacking kriptovalyutnoy Exchange Administration Coinbase took avoid fraudulent transactions and blocked the transfer to the bitcoin address, there thus preventing translation of an additional $ 280 thousand.
It is noteworthy that in the investigation of the incident the FBI used the database offline OGUsers, leakedin open access in April this year. Unfortunately for the hackers, it contained their email and IP addresses, as well as personal correspondence.
With the assistance of the US Internal Revenue Service, law enforcement officers received data from the Coinbase administration on the cryptocurrency wallets involved in the case, including those that the trinity mentioned earlier in the correspondence in the Discord messenger and on the OGUsers forum. By comparing information obtained from three sources (Coinbase, Discord and OGUsers), law enforcement officers were able to identify the email and IP addresses of the persons involved in the case and establish their identity.
However, the user "Habr" under the pseudonym ashotog, having carefully read the available case materials, doubtedin how Mason Sheppard was calculated. If the email addresses of Clark and Fasely did show up in the OGUsers leak, then Sheppard is not so smooth.
According to a report by Tigran Gambaryan, an agent of the US Internal Revenue Service, Mason's email address ( masonhppy@gmail.com ) was also found in the leaked OGUsers forum database. However, according to ashotog, there is no such address. Moreover, he has not appeared in any of the leaks he analyzed over the past few years (and this is more than 30 billion records).
“It turns out that the special agent is not saying something in his report. Either he has access to a database, information about which he has no right to disclose (for example, access to the Coinbase database in real time for IP searches), or Mason Sheppard was found in another way (for example, through a request to the British provider TalkTalk Communications Limited "from whose network the hacker" sat ") and for some reason this also cannot be disclosed,” writes ashotog.
__________________