Last night, US law enforcement arrested three people for recent invasion of Twitter.
The US Department of Justice (DOJ) has released a stack of documents showing a timeline of the hack, and how US investigators were able to identify three suspected hackers.
- Ο Mason Sheppard, γνωστός και ως "Chaewon", 19 χρονών, από το Ηνωμένο Βασίλειο [indictment].
- Ο Nima Fazeli, γνωστός και ως "Rolex", 22 χρονών, από το Ορλάντο της Φλόριντα [indictment].
- Ο Graham Ivan Clark, που πιστεύεται ότι είναι ο "Kirk", 17 χρονών από την Tampa της Φλόριντα [indictment].
According to Justice Department documents, the hack appears to have started on May 3, when Clark, a teenager from Tampa, gained access to a section of the Twitter network.
What happened between May 3 and July 15, the day of the real hack, is not clear but it seems that Clark was not able to immediately exploit his initial access point to the Twitter management tool.
However, a report from the New York Times days after the Twitter hack suggests that Clark initially had access to one of Twitter's Slack workspaces rather than Twitter itself.
NYT reporters, citing sources from the hacking community, reported that the hacker discovered the credentials for one of Twitter's technical support tools pinned to one of the company's Slack channels.
Images of this tool, which allows Twitter employees to control all aspects of an account, leaked to the internet on the day of the hack.
However, the credentials for this tool were not enough to access the Twitter backend. In a Twitter blog post detailing the company's breach investigation, Twitter states that accounts for this admin backend were protected by two-factor authentication (2FA).
Δεν είναι γνωστό πόσος χρόνος χρειάστηκε ο Clark για να το κάνει, αλλά η έρευνα του Twitter αναφέρει ότι ο hacker χρησιμοποίησε ένα "phone spear phishing attack" για να εξαπατήσει μερικούς από τους υπαλλήλους του και να αποκτήσει πρόσβαση στους λογαριασμούς τους, καταφέρνοντας "να περάσει" το two-factor protection
According to Twitter, this happened on July 15, the same day of the hack.
Clark, who appeared on Discord as Kirk # 5270, did not wait to be identified, and according to FBI conversations with Discord, the hacker contacted two other people to help him gain access to that access.
Logs of those conversations included in court documents show that Clark (Kirk#5270) approached two others users from their Discord channel OGUers, a hacking forum for buying and selling social media accounts.
Στα chat logs φαίνεται ότι ο Clark πλησίασε δύο άλλους hacker (τον Fazeli σαν χρήστης "Rolex#037" στο Discord και τον Sheppard με nick name "ever so anxious#0001") και ισχυρίστηκε ότι εργάζεται στο Twitter.
He proves his claims by modifying the settings of an account owned by Fazeli (Rolex # 037) and sold access to Fazeli to his @foreign Twitter account.
Clark also sold access to Sheppard for many Twitter accounts such as @xx, @dark, @vampire, @obinna and @drug.
When Clark convinced the other two of his access level, all three agreed to post ads on the OGUsers forum to promote Clark's ability to invade Twitter accounts.
After these ads were posted, it is believed that too many people bought access to Twitter accounts. In a recorded message posted on YouTube by the Executive Office for United States Attorneys, the researchers say they are still considering many users who participated in the hack.
One of the hackers who bought access to Twitter accounts is believed to be responsible for the mass hacking of verified celebrity accounts on July 15 and for posting a message trying to fool people.
The message was found on the accounts of Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Floyd Mayweather, Michael Bloomberg and others, and asked users to send Bitcoin to various addresses .
According to court documents, the hackers with the wallets used in this scam managed to collect 12,83 bitcoin or about 117.000 dollars.
At this point the breaches were revealed by Twitter staff, who intervened to block the verified accounts while ousting Clark from their network.
Η έρευνα του Twitter που ακολούθησε διαπίστωσε ότι ο Clark "πείραξε" με 130 λογαριασμούς με την πρόσβαση που είχε στο διαχειριστικό εργαλείο του Twitter.
The day after the violation, Twitter filed a lawsuit against the authorities and the FBI and the secret service began their own investigation.
According to court documents, the FBI used data shared on social media, news sites and the Discord chat service.
The FBI also used a copy of the base data of the OGUsers forum which was leaked online in April this year after the forum was hacked. This database contained details about registered users, such as emails, IP addresses, and private messages.
Authorities also received data from Coinbase about Bitcoin addresses involved in the scam.
By correlating data from the three sources, the FBI was able to identify the hackers and link them to email and IP addresses.
Authorities located Fazili after linking the Discord username to the OGUsers page, an obvious operational security flaw.
Fazili made many mistakes in hiding his identity. He used damniamevil20@gmail.com for an OGUsers account and chancelittle10@gmail.com to hack @foreign's Twitter account.
However, he used the same two addresses to register accounts with Coinbase, which he later verified with a photo of his driver's license (!).
Επιπλέον, ο Fazili χρησιμοποίησε επίσης μια connection από το σπίτι του για πρόσβαση σε λογαριασμούς και στους τρεις ιστότοπους, αφήνοντας τη διεύθυνση IP του σπιτιού του στα log files των Discord, Coinbase και OGUsers.
The same thing happened with Sheppard. The investigators said they were able to link Discord Sheppard's user to OGUsers thanks to an ad posted on the site on the day of the breach. They later confirmed this through the leak of the OGUsers database, where they found Chaewon (Sheppard) using to buy access to a video game with a Bitcoin address linked to other addresses used on the day of the hack.
As in the case of Fazili, Sheppard had accounts with Coinbase, where he used his actual driver's license to verify them.
Authorities did not directly link Clark to Discord user Kirk # 5270, but details from the indictment show he is the same person.
Ο εισαγγελέας του Hillsborough, Andrew Warren αναφέρει ότι ο 17χρονος έφηβος από την Tampa (Clark) ήταν ο "εγκέφαλος" του hack.
The research was conducted by Catalin Cimpanu of ZDNet.
