Twitter says a “phone spear phishing” attack helped hackers – what’s that?

Twitter says a “phone spear phishing” attack helped hackers – what’s that?

Twitter has released some more information about the hack it suffered earlier this month that saw high profile accounts breached, and hijacked to post a cryptocurrency scams.

Victims of the attack, which was perpetrated by hackers with access to Twitter’s internal account management support tools, included Amazon’s Jeff Bezos, Elon Musk, Bill Gates, Joe Biden, Barack Obama, and Kanye West.

Twitter’s latest update on the incident includes some further information about how hackers were able to breach its security, and debunks the notion that an employee deliberately assisted:

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools.

So, the obvious question is – what’s a “phone spear phishing attack”?

Twitter unfortunately has been frustratingly opaque as to precisely what it means by the term, but here’s my best guess at what happened:

A targeted Twitter employee or contractor received a message on their phones which appeared to be from Twitter’s support team, and asked them to call a number.

When the worker called the number they might have been taken to a convincing (but fake) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over their credentials.

The Twitter ..