Twitter on Thursday admitted that the high-profile Twitter accounts were hacked because some employees with access to internal tools were targeted by hackers using a coordinated social engineering attack.
Twitter says hackers used social engineering to get into the verified accounts.
But what is social engineering?
What is Social Engineering?
Social engineering is a method hackers use to get confidential information. You may have heard that in the IT system the weakest link is the user. For example, a company may use great security on its machines but if a user sets the password to 1234abc, well you can’t do much about it and all that security is useless. Similarly, hackers often find it easy to get login details and or get into some machine or system with the help of users instead of breaking the security protocol.
Social engineering is the art of manipulating people so that they give out confidential information that can be used to cause harm to that person or an organisation. Confidential information can include passwords, ATM pins, or access to the main control panel in Twitter’s recent case.
So, when you get a call asking for credit card details or an email that seems authentic which requires you to log in your credentials somewhere, that is some scammers trying to use social engineering.
In case of Twitter, through an unwitting or may be a willing Twitter employee, the hackers got access to the site’s admin panel and then did their work.
Some hackers understand human psychology very well and use tactics to manipulate people and attack their weaknesses so that they fall prey to the malicious intentions of the hacker.
A hacker, reportedly part of the Twitter **bleep** last night, told Motherboard that they “used a rep that literally did all the work” and others claimed they paid the Twitter insider. One cannot fail to notice the ease with which tens of accounts of prominent personalities were hacked in one night.
As per a report by TechCrunch, the hackers generated over $100,000 through the cryptocurrency scam in a matter of hours by gaining access to an internal Twitter tool.
Now, social engineering can take various forms some of which are phishing, pretexting, baiting and quid pro quo.
The most common form of social engineering attack is phishing. The main aim of phishing scams is to obtain information that is crucial to a person like names, security pins, addresses, etc. Phishing also uses links to direct users on a landing page where their information can be misused. Other examples of phishing include threats or a sense of urgency. When you get an email from scammers asking you to log into your bank account that is phishing.
Pretexting involves building a false sense of trust with the victim. Scammers usually create scenarios that are so convincing that the victim believes him to give out bits of information impersonating someone else. Identity theft is carried out through pretexting. An example of this is a mail like this: “Your online activity has been recorded and we have seen all the **bleep** websites you visit. However, we are your friends and will not want this information to go out in public. We can stop it, only if you can give us the password of the Netflix account you use.” Or something similar.
Baiting and quid pro quo: as the name suggests baiting and quid pro quo lures the victim into giving out important information like login credentials etc. Users might get messages like they have won a good or a service that Nigerian prince, if you remember -- and they could redeem it by logging into important information.
Simply put : Social engineering refers to manipulating people so that they give out confidential information like passwords.