Hacking is Hacking... What is the 'Social Engineering Hacking' That Breached Twitter? [Juhyung Lim's Tech Talk]

Over 100 Twitter Celebrity Accounts Massively Hacked
'Social Engineering Hack' Obtained Management Tools via Employee Access, Not System
Gaining Employee Trust to Steal Critical Information
Various Methods Including Fake Emails and Voice Phishing Used

A post on former U.S. President Barack Obama's Twitter account, which was hacked on the 15th (local time). At that time, the hackers claimed on this account that they would double any Bitcoin sent to them and collected money accordingly. / Photo by Barack Obama Twitter capture

[Asia Economy Reporter Lim Ju-hyung] On the 15th (local time), the official Twitter account of former U.S. President Barack Obama posted, "Due to the novel coronavirus infection, I have decided to give back my money to the community," along with a cryptocurrency account address, stating, "Anyone who deposits Bitcoin to the address below will receive twice the amount sent. This offer is valid for the next 30 minutes. Enjoy."

On that day, the person who posted this message was not only former President Obama. Over 100 famous American celebrities and politicians, including Jeff Bezos, CEO of Amazon; Elon Musk, CEO of Tesla; Bill Gates; former U.S. Vice President Joe Biden; and hip-hop artist Kanye West, posted the same message, proposing Bitcoin deposits to Twitter users.

This incident was revealed to be the act of a cryptocurrency scam group using Bitcoin. Twitter later announced that a security breach occurred due to a large-scale hacking incident, but by then, $110,000 (approximately 132 million KRW) had already been transferred to the Bitcoin address posted by the hackers.

Following the hacking incident, Twitter announced preliminary investigation results on the 16th, stating, "It is suspected to be an organized 'social engineering attack' targeting some employees with access to internal systems and tools."

Social engineering hacking, which involves directly approaching company personnel to extract critical information, is emerging as a threat to cybersecurity. Since it can be carried out without specialized knowledge of computer engineering and there are no technical countermeasures, concerns are growing.

Experts suggest that both individuals and organizations within companies need to act systematically with heightened awareness.

Social Engineering Hacking Targets People, Not Systems

Hacking / Photo by Yonhap News

Hacking can be broadly divided into two types: system hacking and social engineering hacking.

First, system hacking involves exploiting security vulnerabilities inherent in operating systems (OS), software, or hardware. Common examples include distributing malware such as Trojan horses and viruses or attempting Distributed Denial of Service (DDoS) attacks.

On the other hand, social engineering hacking targets people rather than systems. It includes acts such as gaining the trust of company employees with access rights within the system and stealing confidential information or tools.

The recent large-scale Twitter hacking incident is a case in point. The hackers obtained administrator accounts with access to internal systems and tools directly from employees, forcibly logged into celebrity accounts, and sent out a large volume of fraudulent tweets.

Additionally, social engineering hacking includes sending fake emails or voice phishing to employees to obtain basic information, eavesdropping, or stealing passwords by glancing at monitors.

Social Engineering Hacking on the Rise Despite Advances in Security Technology

Social engineering hacking poses a threat because it targets the administrators of the system to disable the security framework, regardless of the actual security level. / Photo by Yonhap News

Social engineering hacking is problematic because it targets the people managing the system, regardless of the sophistication of the system's security level. While vulnerabilities in systems can be addressed or improved through various tests, information leaks caused by individual carelessness are extremely difficult to control.

Especially as electronic technology advances and overall system security technology becomes standardized at a higher level, hackers have recently shifted their focus from system hacking to social engineering hacking.

East Security, known for its antivirus software 'Alyac,' ranked 'spear phishing,' a social engineering hacking technique, as the 4th most threatening security risk in its '2019 Security Threat Outlook.' Spear phishing involves sending fake emails disguised as internal company emails to steal corporate information.

Experts emphasize the need to prevent confidential information leaks through systematic security team management.

An anonymous security industry official told Asia Economy in a phone interview, "Social engineering hacking is simply deceiving security personnel to steal information," adding, "There is no other way except for individuals to remain vigilant and cautious."

He continued, "The best way to prevent social engineering hacking is to systematically block all possible routes through which sensitive information could leak within an organization (company). It is necessary to establish and comply with clear guidelines on how internal computer passwords, office access, and other sharing methods are managed and by whom."