Indian Medical Association's Twitter Account CompromisedIMA, ICWA and Mann Deshi Bank Accounts Targeted for Crypto Scams
The official Twitter accounts of the Indian Medical Association, @IMAIndiaOrg; the Indian Council of World Affairs, @ICWA_NewDelhi and Mann Deshi Bank, @MannDeshiOrg were compromised in a series of crypto hacks early Monday morning.
The Indian Medical Association, with over 334,000 members, is a national voluntary organization of physicians in India. The Indian Council of World Affairs is the country's first independent international affairs think tank. And Mann Deshi Bank is a cooperative bank that aims to financially empower rural women in the country.
Yogesh Dua, a member of the team that manages the social media accounts of the Indian Medical Association, confirms that its official Twitter account was hacked.
Dua tells Information Security Media Group that the IMA's Twitter account is locked and the association has not been able to regain access. He says it has made a request to unlock the account but has not received a response.
Dua says the IMA received a message from Twitter informing it that the account was locked when Twitter detected suspicious activity. Three or four people in the IMA had access to the password of its official Twitter account, according to Dua.
ISMG could not determine if the incidents of account compromise at the Indian Council of World Affairs and Mann Deshi Bank were the result of a hack or a case of compromised passwords, but it appears that all three Twitter accounts were targeted by the same bad actor, as a series of crypto scam content appeared on all three accounts.
Of the three targeted accounts, only the crypto scam tweets on the Indian Council of World Affairs' Twitter account have been deleted.
Crypto Giveaway Scams
The first fraudulent post following the account takeover of the Indian Medical Association appeared at 0155 hours, Indian Standard Time. The hacker, posing as Elon Musk, wrote: "We here at Tesla HQ came up with a nice idea: to hold a special airdrop event of 5000 BTC for all crypto fans!"
This was followed by hundreds of positive tweets being posted every other second - each one egging users to click on a Telegram link advertising giveaways of Bitcoins, Ether, Dogecoins and Shiba Inu coins.
Sidhartha Shukla, a journalist for The Economic Times, found that the scam involves potential victims verifying their addresses by sending 0.02 to 10 bitcoins - approximately $945 - $472,967 - to a Bitcoin address. The return on investment, the fraudulent advertisement claims, is between 0.2 to 100 bitcoins - around $9,500 to $4,749,650.
To entice users to send bitcoins, the scammers created fake discussion threads that show people earning 10 times the invested amount in 10 minutes.
Cybercriminals commonly use giveaway scams to defraud unsuspecting victims. Research by Elliptic shows that in the aftermath of the July 2020 crypto scam that targeted Twitter accounts of international celebrities, fraudsters stole $121,000 in bitcoin from 400 victims.
Although it is evident that the tweets promising bitcoin giveaways on the three targeted Twitter accounts were phony - "Elon Musk" is misspelled, and there is a gray tick in place of a blue tick - blockchain analytics site Blockchair shows that 31 victims sent a total of 5.75 bitcoins, or $273,848, to the fraudulent Bitcoin address.
On Dec. 12, the official Twitter account of Prime Minister Narendra Modi was compromised for the second time. Cybercriminals tweeted that India had officially adopted bitcoin as a legal tender and that the government was distributing 500 bitcoins among citizens.
Securing Social Media Accounts
Sandip Kumar Panda, CEO and co-founder of Indian cybersecurity firm InstaSafe, tells ISMG that organizations are not paying enough attention to password management using multifactor authentication. "This is what happens when two or three people managing social media accounts gave access to the same password. And in all probability, the password might have been 'Welcome123.' Even script kiddies can crack easy passwords with brute-force attacks," he says.
He advises that if multiple people need to operate an organization's social media account, they should use social media management software that can grant access to multiple users. "This gives the option for multiple controls and makes layering-based approvals possible," Panda says.
He also says that when multiple people manage a social media account, they generally disable OTP-based authentication to avoid the hassle of generating and sharing one-time passwords multiple times.
Panda says Twitter has not enabled organizational access in the way Facebook and LinkedIn have. On Facebook, for example, different levels of access control can be granted to different people.
"If the organization has a CISO, they must implement a zero trust approach. This could help prevent breach incidents even in the case of unpatched software or weak passwords as it allows only access to an application from an authorized device by a verified user. It can be done through a simple single sign-on redirection," Panda says.
Avkash Kathiriya, vice president of research and innovation at Cyware, also recommends applying multiple layers of security to protect social media identities.
He tells ISMG that organizations must enable strong identity and access management governance controls to have "complete visibility on who has access to your credentials, how and where you are storing them, and how frequently you are changing them."
Kathiriya says it is crucial to add an extra layer of security by enabling two-factor authentication for all accounts and identities and that periodically reviewing third-party access given to apps for collaboration and content management of social media can help avoid privacy breaches.