Hackers Breach Lara and Tiffany Trump’s X Accounts in a Cryptocurrency Scam, the Latest in a String of Attacks on X Accounts

On September 3, 2024, hackers breached the X account of Lara Trump, Donald Trump’s daughter-in-law and co-chair of the Republican National Committee, and Tiffany Trump, the former president’s youngest daughter.

The hackers released fake posts, from their respective accounts, in a ruse made to appear as if Lara and Tiffany were announcing that the Trump family’s new cryptocurrency venture, World Liberty Financial, had launched. It has not officially launched. However, the hackers’ links claimed to be “the only official channels of World Liberty Financial.”

An official account for World Liberty Financial confirmed the hack in a separate post on X. “ALERT: Lara’s and Tiffany Trump’s X accounts have been hacked. Do NOT click on any links or purchase any tokens shared from their profiles,” the company said. “We’re actively working to fix this, but please stay vigilant and avoid scams!”

Donald Trump has called himself the first “crypto president” and his campaign is receiving substantial contributions from the crypto industry. However, according to news reports, not all of Trump’s cryptocurrency advocates/supporters are fans of the proposed World Liberty Financial venture.

The compromise of the Trumps’ social media accounts is the latest in a string of attacks on celebrities and high-profile executives’ X accounts, all in the support of cryptocurrency scams. X does provide two-factor authentication choices so subscribers can secure their accounts, and these options include security keys/passkeys.

The goal of security key/passkey technology is to provide the account holder secure and phishing-resistant access to online accounts, like banking, e-commerce, and social media, without using passwords.

Unfortunately, eSentire’s security research team, the Threat Response Unit (TRU), found that X’s security options, in the wrong configuration, can undermine the benefits of security keys/passkeys, making subscribers' accounts vulnerable to cyberattacks.

eSentire has discovered the strongest process for securing one’s X account and is offering security guidance for X, which has never been publicly shared.

The Securities and Exchange Commission, a McDonald’s Executive, Rock Legend Metallica, and More Suffer an X Breach

In the past year, several other celebrities, high-profile organizations, and executives have also had their X accounts hijacked. In January of this year, the Securities and Exchange Commission’s (SEC) X account was hacked, and the threat actors posted a message to its 660,000+ followers.

The false message claimed that the SEC had approved the listing and trading of spot Bitcoin Exchange Traded Funds (ETFs) and caused the market price of Bitcoin to immediately jump to nearly USD $48,000. The fraudulent X message also included an image and additional message from SEC Chairman, Gary Gensler, where he speaks about the “approval” (Figure 1).

According to X’s security team, someone hijacked control of the mobile phone number associated with the SEC’s account. X’s security team suspected this was done via a SIM swapping attack. There wasn't much about the tweet which would have raised suspicion amongst the typical X users - even those who were security experts.

The security team with X investigated the SEC hack and stated the following message:

“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.” 

On August 22, 2024, an executive with McDonald's had their personal X account hijacked. The scheme began on August 21, 2024, when McDonald’s’ corporate Instagram account was breached. The account has approximately 5 million followers. The breach involved a hacker “using the account to promote the memecoin called grimace (GRIMACE30045-USD)". The cryptocurrency is reportedly inspired by McDonald's' purple mascot of the same name.

At the same time that the McDonald’s Instagram account began posting about the memecoin, similar promotional posts began appearing on the personal X account of McDonald’s’ senior marketing director Guillaume Huin, and it was apparent his X account had been hacked.

According to news reports, shortly after the hack, the cryptocurrency's market capitalization rose to around $20 million before dropping to below $1 million, with the hackers presumably cashing out their earnings. The threat actors even updated McDonald's Instagram bio to thank followers for the $700,000 they had fraudulently collected.

Longtime popular rock band, Metallica, also had their X account hacked recently. On June 26, hackers used it to promote a Solana-associated token called METAL. The messages posted to X, by the scammers, contained disinformation with references to Ticketmaster and the participation of the fintech firm MoonPay.

MoonPay’s president, Keith Grossman, quickly denied any association to the scam. News outlets reported that the METAL token briefly experienced a jump in their market cap to $3.37 million, but then it dropped back to $90,000 in several hours.

In July, the popular actress Sydney Sweeney had her X account hacked via a SIM swapping scheme. The threat actor sent out numerous tweets promoting a Solana meme coin before the posts were deleted. Crypto traders poured $13 million into the token within less than an hour before the posts were taken down (Figure 2).

Hackers Target X Accounts of High-Level Executives, Celebrities, and Top Organizations and their Thousands of Followers

X account holders might ask, “Why should I worry that my X account might be hacked?”

Certainly, for many X members, the likelihood that their account will be breached is nominal. However, if you are a well-known celebrity, high-level executive, or top organization, and you have a wide reach with the public, then chances your account will be targeted by threat actors, especially those perpetrating cryptocurrency scams, are good.

High-profile entities exude trust and credibility, and they often have thousands or millions of followers. Also, when an X account is verified, its followers typically trust information from these sources.

For a business or organization to be verified on X, an account holder will pay up to $1,000 a month to subscribe to X Full Access, provide a photo, provide a display name, and a phone number. The X account that represents a brand or organization needs to ensure the X handle and account name are consistent with the brand or organization’s identity.

For an individual to be verified on X, they will purchase a premium subscription for $8-15 a month, and they must complete a profile and maintain a consistent presence on the platform, they should also link their phone number to the account.

Many organizations or brands also have a website linked to their X account. Unfortunately, when verified X accounts are hacked, the messages they spread appear credible and their followers are easily deceived.

X’s MFA Options Can Undermine the Benefits of Security Keys, Making Subscribers' Accounts Vulnerable to Hackers

These incidents highlight that even accounts with one of the world’s largest social networking services can be vulnerable to cyberattacks. Security novices might argue that the breaches of these X accounts could have been prevented if the account holders had implemented two-factor (2FA) authentication.

However, this blog will show readers that security keys/passkeys, that are backed up by traditional two-factor authentication processes, such as SMS codes or an authenticator application, can be circumvented by hackers, via SIM swapping and advanced phishing techniques like “Adversary-in-the-Middle" (AitM) attacks.

It is important to note that X is not the only online service whose security key/passkey implementation is vulnerable to attack. In June 2024, eSentire’s TRU team reviewed the implementation of several of the most popular software services’ and online retailers’ security key/passkey authentication flow, and nearly all of them could still be bypassed by AitM phishing, using what TRU calls an “Authentication Method Redaction” attack or AMR attack for short.

An AMR attack is when a subscriber arrives at a software service’s log-in page, and the attacker makes it so that the security key/passkey option doesn’t even appear, the only choice is to sign in with your email address and password.

The software services and online retailers, whose security key/passkeys implementations that could be bypassed by AitM phishing and AMR attacks include Microsoft Live, Amazon’s E-Commerce website (not AWS), eBay, CVS Pharmacy, Target, and Google Gmail accounts (if not protected by Google’s Advanced Protection Program), GitHub, Coinbase, and others.

A successful AitM attack can allow hackers to intercept and potentially gain unauthorized access to a customer’s online financial accounts, email, healthcare records, etc. This kind of access can potentially lead to financial fraud, theft of PII, including personal health records, business email compromise, and so on.

If you are a top organization, high-level executive, or well-known celebrity, TRU cautions one to secure their X account from sophisticated cyber threats. TRU is recommending the adoption of WebAuthn (e.g. passkeys or FIDO2 hardware authenticators), AND the disablement of insecure MFA methods at the same time. This blog will walk readers through the process of securing one’s X account with WebAuthn security keys, providing robust protection against phishing attacks and unauthorized access attempts.

And although a flaw in YubiKey 5’s two-factor authentication security keys has recently been discovered, making them vulnerable to cloning, it is important to note that exploiting this vulnerability requires not only physical access to the YubiKey but also approximately $11,000 USD of equipment to then extract the owner’s private keys from the YubiKeys.

On top of that, the attacker would also need access to the account owner’s usernames, account passwords, PIN codes, or any other authentication keys used to secure the account.

Therefore, using security keys, including the YubiKey, is still one of the most effective ways of securing your X account.

Understanding WebAuthn and FIDO2

WebAuthn is a web standard that provides a secure and phishing-resistant way to authenticate users. It leverages public-key cryptography, where the user's credentials are stored on a hardware device, such as a FIDO2 hardware key like the YubiKey, or a device that supports passkeys (e.g., modern smartphones and computers).

These credentials are only activated for use when visiting the same site, where they were originally registered, ensuring that they cannot be captured by a phishing site.

Why Avoid Other 2FA Methods?

While traditional 2FA methods like SMS codes, authentication apps, and backup codes add a small security improvement over passwords, they are no defense against sophisticated modern phishing attacks.

These days, attackers can easily intercept or trick users into revealing these codes, or social-engineer mobile providers into replacing the registered SIM on an account, redirecting the code to the attacker’s phone.

Security keys provide a stronger alternative as it requires access to the user's key stored on a separate device or in a secure enclave, making remote phishing virtually impossible.

Step-by-Step Guide to Enabling Security Keys on X

Let's walk through the process of securing your X account using security keys.

Step 1: Accessing Security Settings

• Log in to your X account.
• Navigate to the "Settings and privacy" section. You can find this by clicking on your profile icon and selecting "Settings and privacy" from the dropdown menu.

Step 2: Navigate to Two-Factor Authentication

• Under "Settings," select "Security and account access."
• Go to "Two-factor authentication" to view your 2FA options (Figure 3).

Step 3: Disable Insecure 2FA Methods

• Under "Two-factor authentication," you will see options for "Text message," "Authentication app," and "Security key."
• Disable the "Text message" and "Authentication app" options by clicking the toggle switch next to each. Text messages are vulnerable to SIM swapping attacks as well as being susceptible to phishing attacks and should never be used as a 2FA method if more secure options are available. Likewise, authenticator apps also expose the user to the possibility of Adversary in the Middle (AitM) attacks. Since these attacks could also employ Authentication Method Redaction (AMR) techniques to force you to fall back to an insecure 2FA method, you should make sure these options are completely disabled.
• Important: If you have backup codes enabled, refrain from using them as they can be stolen in an AitM phishing attack. If you’ve previously saved any backup codes, just generate new ones and don’t save them anywhere. You can’t be phished for something you don’t have! (Figure 4).

Step 4: Enable Security Key

• Click on the "Security key" option.
• Follow the prompts to register your security key. You will need to physically connect your FIDO2 security key to your device (via USB, NFC, or Bluetooth) and follow the on-screen instructions.
• Once registered, your security key will be your primary 2FA method. This setup makes it impossible for attackers to access your account without the physical key.

Step 5: Add Redundant Security Keys

• To prevent losing access to your account if your primary key is lost it is critically important to register additional security keys.
• Go back to the "Security key" section and add another key. This redundancy ensures that you can still access your account if one key is unavailable (Figure 5).

Testing Your New Setup

After setting up your security keys, log out and attempt to log back in. You should be prompted to use your security key to complete the authentication process. This test ensures that everything is functioning correctly and that your account is secure.

By securing your X account with security keys, you protect yourself against AitM phishing attacks. Remember, the key to maintaining security is to disable all insecure 2FA methods and rely solely on security keys as the sole 2FA authentication method wherever it is offered. Stay vigilant and always have redundant security keys for each account!

If you are not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Connect with an eSentire Security Specialist to learn more