An Ontario municipality has become the latest to lose temporary access to its X account.
Peterborough, Ont., a city of 83,600 about 125km northeast of Toronto, says someone took over and renamed its X/Twitter account on Sunday and held control for about 24 hours.
Re-named [at]JupiterExchange, the new controller then began tweeting links to a cryptocurrency scam until this morning, when the city was able to regain access.
Brendan Wedley, the city’s director of strategic communications and service, told IT World Canada that the municipality is looking into how the account was hacked. Three to five people had password access, he said.
The attacker only used their X access to play with the account. The has been no suspicious activity detected on the city’s IT network, Wedley said. Nor, he added, has there been any suspicious activity on the city email accounts of staff who had access to the X account.
In a press release, the city also stressed that no personal information was shared by the municipality on its X social media account.
The incident is once of several recent takeovers of X accounts, many of which were then used for cryptocurrency scams. It isn’t clear if this is one gang’s tactic or there are several copycats.
One of the most embarrassing of the attacks hit cybersecurity company Mandiant over a week ago. The Google-owned division admitted that usually employees have to enable two-factor authentication on any account they have, “but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We’ve made changes to our process to ensure this doesn’t happen again.”
The threat actor who took control of the Mandiant account used it to post links to a cryptocurrency drainer phishing page. Drainers are malicious scripts and smart contracts that actors can leverage to siphon funds and/or digital assets, such as non-fungible tokens, from victims’ cryptocurrency wallets after they are tricked into approving transactions.
In arguably the second most embarrassing takeover, the U.S. Securities and Exchange Commission (SEC) was taken over last week, with the hacker tweeting the regulator had approved the listing of bitcoin exchange-traded funds (ETFs) on U.S. security exchanges. That wasn’t true at the time — but a few days later the SEC did okay ETFs. X said it wasn’t at fault for the hack.
Among the other recent victims was a Canadian Senator.
In 2020, a gang used social engineering attacks to take control over and sell access to the Twitter accounts of celebrities and well-known people. One of those who bought control of a stolen account, Joseph James O’Connor — a hacker himself — was sentenced last year to five years in prison.
The recent X hacking incidents are a warning to companies and governments at all levels that an individual or individuals are hunting for poorly secured social media accounts where they can spread links to scams. The focus on X may only be temporary. Use of phishing-resistant multifactor authentication to protect all social media accounts of any organization or prominent individual is imperative.