eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
On September 3, 2024, hackers breached the X account of Lara Trump, Donald Trump’s daughter-in-law and co-chair of the Republican National Committee, and Tiffany Trump, the former president’s youngest daughter.
The hackers released fake posts, from their respective accounts, in a ruse made to appear as if Lara and Tiffany were announcing that the Trump family’s new cryptocurrency venture, World Liberty Financial, had launched. It has not officially launched. However, the hackers’ links claimed to be “the only official channels of World Liberty Financial.”
An official account for World Liberty Financial confirmed the hack in a separate post on X. “ALERT: Lara’s and Tiffany Trump’s X accounts have been hacked. Do NOT click on any links or purchase any tokens shared from their profiles,” the company said. “We’re actively working to fix this, but please stay vigilant and avoid scams!”
Donald Trump has called himself the first “crypto president” and his campaign is receiving substantial contributions from the crypto industry. However, according to news reports, not all of Trump’s cryptocurrency advocates/supporters are fans of the proposed World Liberty Financial venture.
The compromise of the Trumps’ social media accounts is the latest in a string of attacks on celebrities and high-profile executives’ X accounts, all in the support of cryptocurrency scams. X does provide two-factor authentication choices so subscribers can secure their accounts, and these options include security keys/passkeys.
The goal of security key/passkey technology is to provide the account holder secure and phishing-resistant access to online accounts, like banking, e-commerce, and social media, without using passwords.
Unfortunately, eSentire’s security research team, the Threat Response Unit (TRU), found that X’s security options, in the wrong configuration, can undermine the benefits of security keys/passkeys, making subscribers' accounts vulnerable to cyberattacks.
eSentire has discovered the strongest process for securing one’s X account and is offering security guidance for X, which has never been publicly shared.
The Securities and Exchange Commission, a McDonald’s Executive, Rock Legend Metallica, and More Suffer an X Breach
In the past year, several other celebrities, high-profile organizations, and executives have also had their X accounts hijacked. In January of this year, the Securities and Exchange Commission’s (SEC) X account was hacked, and the threat actors posted a message to its 660,000+ followers.
The false message claimed that the SEC had approved the listing and trading of spot Bitcoin Exchange Traded Funds (ETFs) and caused the market price of Bitcoin to immediately jump to nearly USD $48,000. The fraudulent X message also included an image and additional message from SEC Chairman, Gary Gensler, where he speaks about the “approval” (Figure 1).
Figure 1: The threat actors who hijacked the SEC’s Twitter account posted the fraudulent image and message from SEC Chair Gary Gensler
According to X’s security team, someone hijacked control of the mobile phone number associated with the SEC’s account. X’s security team suspected this was done via a SIM swapping attack. There wasn't much about the tweet which would have raised suspicion amongst the typical X users - even those who were security experts.
The security team with X investigated the SEC hack and stated the following message:
“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”
On August 22, 2024, an executive with McDonald's had their personal X account hijacked. The scheme began on August 21, 2024, when McDonald’s’ corporate Instagram account was breached. The account has approximately 5 million followers. The breach involved a hacker “using the account to promote the memecoin called grimace (GRIMACE30045-USD)". The cryptocurrency is reportedly inspired by McDonald's' purple mascot of the same name.
At the same time that the McDonald’s Instagram account began posting about the memecoin, similar promotional posts began appearing on the personal X account of McDonald’s’ senior marketing director Guillaume Huin, and it was apparent his X account had been hacked.
According to news reports, shortly after the hack, the cryptocurrency's market capitalization rose to around $20 million before dropping to below $1 million, with the hackers presumably cashing out their earnings. The threat actors even updated McDonald's Instagram bio to thank followers for the $700,000 they had fraudulently collected.
Longtime popular rock band, Metallica, also had their X account hacked recently. On June 26, hackers used it to promote a Solana-associated token called METAL. The messages posted to X, by the scammers, contained disinformation with references to Ticketmaster and the participation of the fintech firm MoonPay.
MoonPay’s president, Keith Grossman, quickly denied any association to the scam. News outlets reported that the METAL token briefly experienced a jump in their market cap to $3.37 million, but then it dropped back to $90,000 in several hours.
In July, the popular actress Sydney Sweeney had her X account hacked via a SIM swapping scheme. The threat actor sent out numerous tweets promoting a Solana meme coin before the posts were deleted. Crypto traders poured $13 million into the token within less than an hour before the posts were taken down (Figure 2).
Figure 2: The threat actor/SIM Swapper showing proof of his attack on actress Sydney Sweeney’s X account, used to promote a cryptocurrency scam
Hackers Target X Accounts of High-Level Executives, Celebrities, and Top Organizations and their Thousands of Followers
X account holders might ask, “Why should I worry that my X account might be hacked?”
Certainly, for many X members, the likelihood that their account will be breached is nominal. However, if you are a well-known celebrity, high-level executive, or top organization, and you have a wide reach with the public, then chances your account will be targeted by threat actors, especially those perpetrating cryptocurrency scams, are good.
High-profile entities exude trust and credibility, and they often have thousands or millions of followers. Also, when an X account is verified, its followers typically trust information from these sources.
For a business or organization to be verified on X, an account holder will pay up to $1,000 a month to subscribe to X Full Access, provide a photo, provide a display name, and a phone number. The X account that represents a brand or organization needs to ensure the X handle and account name are consistent with the brand or organization’s identity.
For an individual to be verified on X, they will purchase a premium subscription for $8-15 a month, and they must complete a profile and maintain a consistent presence on the platform, they should also link their phone number to the account.
Many organizations or brands also have a website linked to their X account. Unfortunately, when verified X accounts are hacked, the messages they spread appear credible and their followers are easily deceived.
X’s MFA Options Can Undermine the Benefits of Security Keys, Making Subscribers' Accounts Vulnerable to Hackers
These incidents highlight that even accounts with one of the world’s largest social networking services can be vulnerable to cyberattacks. Security novices might argue that the breaches of these X accounts could have been prevented if the account holders had implemented two-factor (2FA) authentication.
However, this blog will show readers that security keys/passkeys, that are backed up by traditional two-factor authentication processes, such as SMS codes or an authenticator application, can be circumvented by hackers, via SIM swapping and advanced phishing techniques like “Adversary-in-the-Middle" (AitM) attacks.
An AMR attack is when a subscriber arrives at a software service’s log-in page, and the attacker makes it so that the security key/passkey option doesn’t even appear, the only choice is to sign in with your email address and password.
The software services and online retailers, whose security key/passkeys implementations that could be bypassed by AitM phishing and AMR attacks include Microsoft Live, Amazon’s E-Commerce website (not AWS), eBay, CVS Pharmacy, Target, and Google Gmail accounts (if not protected by Google’s Advanced Protection Program), GitHub, Coinbase, and others.
A successful AitM attack can allow hackers to intercept and potentially gain unauthorized access to a customer’s online financial accounts, email, healthcare records, etc. This kind of access can potentially lead to financial fraud, theft of PII, including personal health records, business email compromise, and so on.
If you are a top organization, high-level executive, or well-known celebrity, TRU cautions one to secure their X account from sophisticated cyber threats. TRU is recommending the adoption of WebAuthn (e.g. passkeys or FIDO2 hardware authenticators), AND the disablement of insecure MFA methods at the same time. This blog will walk readers through the process of securing one’s X account with WebAuthn security keys, providing robust protection against phishing attacks and unauthorized access attempts.
And although a flaw in YubiKey 5’s two-factor authentication security keys has recently been discovered, making them vulnerable to cloning, it is important to note that exploiting this vulnerability requires not only physical access to the YubiKey but also approximately $11,000 USD of equipment to then extract the owner’s private keys from the YubiKeys.
On top of that, the attacker would also need access to the account owner’s usernames, account passwords, PIN codes, or any other authentication keys used to secure the account.
Therefore, using security keys, including the YubiKey, is still one of the most effective ways of securing your X account.
Understanding WebAuthn and FIDO2
WebAuthn is a web standard that provides a secure and phishing-resistant way to authenticate users. It leverages public-key cryptography, where the user's credentials are stored on a hardware device, such as a FIDO2 hardware key like the YubiKey, or a device that supports passkeys (e.g., modern smartphones and computers).
These credentials are only activated for use when visiting the same site, where they were originally registered, ensuring that they cannot be captured by a phishing site.
Why Avoid Other 2FA Methods?
While traditional 2FA methods like SMS codes, authentication apps, and backup codes add a small security improvement over passwords, they are no defense against sophisticated modern phishing attacks.
These days, attackers can easily intercept or trick users into revealing these codes, or social-engineer mobile providers into replacing the registered SIM on an account, redirecting the code to the attacker’s phone.
Security keys provide a stronger alternative as it requires access to the user's key stored on a separate device or in a secure enclave, making remote phishing virtually impossible.
Step-by-Step Guide to Enabling Security Keys on X
Let's walk through the process of securing your X account using security keys.
Step 1: Accessing Security Settings
Log in to your X account.
Navigate to the "Settings and privacy" section. You can find this by clicking on your profile icon and selecting "Settings and privacy" from the dropdown menu.
Step 2: Navigate to Two-Factor Authentication
Under "Settings," select "Security and account access."
Go to "Two-factor authentication" to view your 2FA options (Figure 3).
Figure 3: Security settings dialog in X
Step 3: Disable Insecure 2FA Methods
Under "Two-factor authentication," you will see options for "Text message," "Authentication app," and "Security key."
Disable the "Text message" and "Authentication app" options by clicking the toggle switch next to each. Text messages are vulnerable to SIM swapping attacks as well as being susceptible to phishing attacks and should never be used as a 2FA method if more secure options are available. Likewise, authenticator apps also expose the user to the possibility of Adversary in the Middle (AitM) attacks. Since these attacks could also employ Authentication Method Redaction (AMR) techniques to force you to fall back to an insecure 2FA method, you should make sure these options are completely disabled.
Important: If you have backup codes enabled, refrain from using them as they can be stolen in an AitM phishing attack. If you’ve previously saved any backup codes, just generate new ones and don’t save them anywhere. You can’t be phished for something you don’t have! (Figure 4).
Figure 4: Two-factor authentication settings in X
Step 4: Enable Security Key
Click on the "Security key" option.
Follow the prompts to register your security key. You will need to physically connect your FIDO2 security key to your device (via USB, NFC, or Bluetooth) and follow the on-screen instructions.
Once registered, your security key will be your primary 2FA method. This setup makes it impossible for attackers to access your account without the physical key.
Step 5: Add Redundant Security Keys
To prevent losing access to your account if your primary key is lost it is critically important to register additional security keys.
Go back to the "Security key" section and add another key. This redundancy ensures that you can still access your account if one key is unavailable (Figure 5).
Figure 5: Always have multiple security keys added to your account
Testing Your New Setup
After setting up your security keys, log out and attempt to log back in. You should be prompted to use your security key to complete the authentication process. This test ensures that everything is functioning correctly and that your account is secure.
By securing your X account with security keys, you protect yourself against AitM phishing attacks. Remember, the key to maintaining security is to disable all insecure 2FA methods and rely solely on security keys as the sole 2FA authentication method wherever it is offered. Stay vigilant and always have redundant security keys for each account!
If you are not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Connect with an eSentire Security Specialist to learn more
eSentire Threat Response Unit (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
