Last night, US law enforcement arrested three people for recent invasion of Twitter.
The US Department of Justice (DOJ) has released a stack of documents showing a hack schedule, and how US investigators managed to identify three suspected hackers.
- Mason Sheppard, also known as "Chaewon", 19 years old, from the United Kingdom [indictment].
- Nima Fazeli, also known as "Rolex", 22 years old, from Orlando, Florida [indictment].
- Graham Ivan Clark, believed to be "Kirk", 17, from Tampa, Florida [indictment].
According to Justice Department documents, the hack appears to have started on May 3, when Clark, a teenager from Tampa, gained access to part of his network. Twitter.
What happened between May 3 and July 15, the day of the real hack, is not clear but it seems that Clark was not able to take immediate advantage of his initial access point in his management tool. Twitter.
NYT reporters, citing sources from the hacking community, reported that the hacker discovered the credentials for one of his technical support tools. Twitter which are pinned to one of the company's Slack channels.
Pictures of this tool, which allows its employees Twitter to check all aspects of an account leaked on the internet on the day of the hack.
However, the credentials for this tool were not enough to access your backend Twitter. In a post on his blog Twitter detailing the company 's investigation into the breach, the Twitter reports that accounts for this admin backend were protected by two-factor authentication (2FA).
It is not known how long it took Clark to do it, but his research Twitter reports that hacker used a "phone spear phishing attack" to deceive some of his employees and gain access to their accounts, managing to "pass" the two-factor protection
In accordance with Twitter, this happened on July 15, the same day of the hack.
Clark, who appeared on Discord as Kirk # 5270, did not expect to be identified, and according to FBI-acquired Discord conversations, the hacker contacted two other people to help him gain access to that access.
Records of these conversations contained in court documents show that Clark (Kirk # 5270) approached two other users of the OGUsers' Discord channel, a hacking forum for selling and buying social media accounts.
In the chat logs it appears that Clark approached two other hackers (Fazeli as a "Rolex # 037" user at Discord and Sheppard nicknamed "ever so anxious # 0001") and claimed to be working at Twitter.
He proves his claims by modifying the settings of an account owned by Fazeli (Rolex # 037) and sold access to Fazeli to his @foreign account Twitter.
Clark also sold access to Sheppard for many of his accounts Twitter such as @xx, @dark, @vampire, @obinna and @drug.
When Clark convinced the other two of his access level, all three agreed to post ads on the OGUsers forum to promote Clark's ability to invade accounts. Twitter.
After these ads were posted, it is believed that too many people bought access to accounts Twitter. In a recorded message posted on YouTube by the Executive Office for United States Attorneys, the researchers say they are still considering many users who participated in the hack.
It is believed that one of these hackers bought access to his accounts Twitter is responsible for the mass hack into verified celebrity accounts on July 15 and for posting a message trying to fool the world.
The message was found on the accounts of Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Floyd Mayweather, Michael Bloomberg and others, and asked users to send Bitcoin to various addresses .
According to court documents, the hackers with the wallets used in this scam managed to collect 12,83 bitcoin or about 117.000 dollars.
At this point the violations were revealed by his staff Twitter, who intervened to block the verified accounts while ousting Clark from their network.
The next day of the violation Twitter filed a lawsuit with the authorities and the FBI and the secret service began their own investigation.
According to court documents, the FBI used data shared on social media, news sites and the Discord chat service.
The FBI also used a copy of the OGUsers forum database that leaked online in April this year after the forum was hacked. This database contained details of registered users, such as email, IP addresses, and private messages.
Authorities also received data from Coinbase about Bitcoin addresses involved in the scam.
By correlating data from the three sources, the FBI was able to identify the hackers and link them to email and IP addresses.
Authorities located Fazili after linking the Discord username to the OGUsers page, an obvious operational security error.
However, he used the same two addresses to register accounts with Coinbase, which he later verified with a photo of his driver's license (!).
In addition, Fazili also used a link from his home to access accounts on all three sites, leaving his home IP address in the log files of Discord, Coinbase and OGUsers.
The same thing happened with Sheppard. The researchers said they were able to link Discord Sheppard's user to OGUsers thanks to an ad posted on the site on the day of the breach. They later confirmed this through the leak of the OGUsers database, where they found Chaewon (Sheppard) using to buy access to a video game with a Bitcoin address linked to other addresses used on the day of the hack.
As in the case of Fazili, Sheppard had accounts with Coinbase, where he used his actual driver's license to verify them.
Authorities did not directly link Clark to Discord user Kirk # 5270, but details from the indictment show he is the same person.
Hillsborough Prosecutor Andrew Warren says the 17-year-old from Tampa (Clark) was the "brain" of the hack.
The research was conducted by Catalin Cimpanu of ZDNet.