Following the HBO cybersecurity breach, it has come to our attention that several Twitter accounts belonging to the media company including Game of Thrones, Last Week Tonight and Westworld have also been compromised.
First Published 18th August 2017
Curb your enthusiasm.
4 min read | Reflare Research Team
Following a cyber attack against HBO earlier this month which led to confidential information and content being leaked, the media company has once again become the target of hackers. This time around, the Twitter accounts of several HBO shows appear to have been compromised by hackers believed to be OurMine.
Background & Impact
The name OurMine has previously been used in several hacks of social media accounts belonging - among others - to Mark Zuckerberg, Jimmy Wales and Sundar Pichai, as well as during a notable breach of content aggregator Buzzfeed’s website security in late 2016. Whether this week’s hacks of HBO Twitter accounts were performed by the same attacker(s) is unknown. While some attackers choose to publish cryptographically signed messages which prove that different attacks were performed by the same agent, OurMine is not known to do so.
Apart from a short message posted on several of the affected Twitter accounts urging HBO to contact OurMine, no malicious actions appear to have taken place.
Defending Social Media Accounts
There is a lot of public confusion surrounding the hacking of social media accounts. On a large scale, accounts are usually compromised through weak or leaked passwords. However, surely CEOs of tech companies like those previously having their Twitter accounts hacked by OurMine know how to select a secure password and not reuse it.
It turns out that protecting Twitter accounts is surprisingly tricky.
Twitter has to provide users with a way to reclaim their accounts if they forget the password or lose access to two-factor authentication devices such as their phones. Without such recovery methods, a large number of accounts would become inaccessible every year as passwords are inevitably forgotten or phones lost and broken.
Customarily, account credentials are reset by sending an email to a registered email address. Thus attackers with access to a victim’s email also ultimately have access to their Twitter account. Alternatively, accounts may be verified through text messages sent to registered phone numbers.
This approach seems secure until taking into consideration that mobile phone companies can assign phone numbers to SIM cards at will. So a dedicated attacker can use traditional identity theft techniques to convince a phone company to assign the victim’s number to their own SIM, thus receiving all further text messages for that number.
With control of a phone number, they can then either directly access the Twitter account or use the number to reset the credentials for email accounts and access Twitter through them.
While by no means all such attacks are successful, it only takes a single gullible support worker at the target phone company to breach security. Thus while attackers get a virtually infinite amount of attempts and many support workers are not trained to see the security implications of moving phone numbers, attacks are bound to keep succeeding.
Summary
Resetting credentials is one of the classic chicken and egg problems of the internet. While most corporate infrastructure relies on its own authentication systems, Twitter can not be integrated with any of them. At the same time, the international footprint and anonymous nature of the network make demanding government ID to reset account credentials highly impractical.
As such, resetting credentials through email or phone messages is likely to remain the standard for the foreseeable future. With this standard in place, attackers will continue to occasionally take over high-priority accounts and abuse them to broadcast their messages.