Reality Winner’s Twitter account was hacked to target journalists


Twitter account of former intelligence specialist, Reality Winner was hacked over the weekend by threat actors looking to target journalists at prominent media organizations.

Hackers took over Winner’s verified Twitter account and changed the profile name to “Feedback Team” to impersonate Twitter staff before sending out suspicious DMs to verified users.

Bogus ‘Copyright Infringement’ notices

On Sunday, multiple journalists and verified Twitter users reported receiving suspicious DMs from a “verified” Twitter account called “Feedback Team.”

On taking a closer look at “Feedback Team’s” account’s handle @reazlepuff however, Jacob Silverman, staff reporter for The New Republic pointed out the hacked account appeared to belong to Reality Winner:

Reality Leigh Winner is an American former intelligence specialist who, in 2018, was sentenced to five years and three months in prison for unauthorized release of classified information to the media.

In 2017, Winner shared a National Security Agency (NSA) report about the Russian interference in the 2016 U.S. elections with the news outlet The Intercept. The report suggested that Russian hackers had illegally accessed U.S. voter registration rolls via email phishing attacks, although it didn’t conclude if this had led to any tampering of electoral records.

Within minutes of Silverman’s tweet, Daily Dot staff writer Mikael Thalen also reported receiving the DM, as did writer Tara Dublin.

These DMs impersonated Twitter staff and contained bogus “copyright infringement” notices enticing the recipients to click on a Google Sites link.

Hi Dear User,

Copyright infringement was detected in one of the shares on your account. If you think copyright infringement is wrong, you need to provide feedback. Otherwise, your account will be removed within 48 hours. You can give feedback at the link below. Thank you for your understanding.…

Twitter Support

The Google Sites webpage, seen by BleepingComputer, contained an embedded HTML iframe.

The contents of the iframe impersonated Twitter’s look and feel and asked the user to provide “feedback on the form” to prevent their account from getting “permanently suspended” over copyright infringement:

phishing webpage
Phishing webpage embedded on a Google Sites page (BleepingComputer)

The source URL of the malicious iframe, is no longer accessible, as confirmed by BleepingComputer.

Credentials harvesting attack targets media companies

This appears to be a credentials harvesting attack and this isn’t the first time such an attack has occurred either.

Mid-February some Indian journalists, including Sreedevi Jayarajan of The News Minute had their verified Twitter account taken over to target other verified profiles in a similar fashion.

The use of the account profile name “Feedback Team,” and the identical wording of the DMs sent at the time from Jayarajan’s hacked account imply the same threat actor(s) may be behind these attacks.

In January, British actor, comedian, and BBC presenter, Adil Ray “almost fell for this” phishing scam purportedly sent by another hacked verified account.

BleepingComputer has previously reported threat actors sending fake DMCA and DDoS complaints to prominent Twitter accounts to spread malware. This scam, however, distinctly targets media personalities via phishing, to harvest credentials from journalists, with the possible goal of breaching news outlets.

BleepingComputer reached out to Reality Winner to better understand what had happened:

“It started with these log ins from Turkey and I couldn’t secure my account quickly enough,” Winner tells BleepingComputer.

“I only had a verified account for like 6 days and thought I was gonna lose it. Also I’m really embarrassed that it sent the DM out to journalists, like I felt like I’d lost all credibility.”

Additionally, Winner also released a statement confirming the hack and expressed regret for anyone affected.

Should you come across a suspicious DM or a Twitter account that appears to be hacked, consider reaching out to real Twitter Support

Start a discussion …
Source link