Advanced Phishing Attacks Put X Accounts at Risk

Written by

Users of social media site X (formerly Twitter) risk having their accounts hacked, even if they have two-factor authentication set up, according to eSentire.

Researchers at eSentire’s Threat Research Unit (TRU) found that account takeover was still possible, even though X accounts use security keys or passkeys. X’s own security features allow strong authentication to be bypassed, they warn.

As well security keys or passkeys, X users can also use SMS codes or an authenticator application to access their accounts.

However, hackers can easily bypass these methods, either through an adversary-in-the-middle (AiTM) attack, intercepting or tricking users into revealing their authentication codes or though SIM swapping. This redirects the authentication code to the attacker’s phone.

The US actor Sydney Sweeny had her X account hacked in July, through a SIM-swapping scam. Other victims of X account takeovers include Lara and Tiffany Trump, the rock band Metallica and senior staff at McDonalds.

Read more about SIM-swapping attacks: SEC Confirms SIM Swap Attack Behind X Account Takeover

Crypto-Driven Attacks

“In the past eight months, there have been numerous X accounts that have been breached by hackers,” Spence Hutchinson, TRU threat intelligence researcher, told Infosecurity.

“These high-profile accounts were commonly breached to promote cryptocurrency scams or phishing links to thousands of their followers.”

Many of the attacks, including those against the Trumps and Metallica, promoted cryptocurrency schemes.

According to Hutchinson, the way X allows users to sign in using an authenticator application or SMS code undermines the use of security keys and passkeys.

“While traditional 2FA methods like SMS codes, authentication apps and backup codes add a small security improvement over passwords, they are no defense against sophisticated modern phishing attacks, such as AiTM attacks,” he said.

Online Retailers and Software Services Vulnerable

TRU researchers warned that it is not only X accounts that are vulnerable. The team found that a number of software services and online retailers’ security keys or passkeys through a technique they term “authentication method redaction” (AMR).

To carry out an AMR attack, the hacker blocks the site’s security or passkey option, forcing users to sign in with an email address and password instead. TRU recommends the use of stronger protections, such as passkeys or FIDO2 hardware authenticators, and disabling insecure MFA access methods.

“These breaches highlight the need for a robust and secure authentication posture that takes into account the most up-to-date measures to log in,” Don Tait, senior analyst for identity cybersecurity at Omdia told Infosecurity.

“Not all authentication methods are the same. Taking advantage of the best authentication methods will minimize the chances of getting breached.”

Image credit: BongkarnGraphic / Shutterstock.com

What’s hot on Infosecurity Magazine?