Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Rachel Tobac Profile picture
Rachel Tobac
@RachelTobac
Hacker & CEO @SocialProofSec security awareness/social engineering training, videos, talks | 3X @DEFCON🥈 | Chair @WISPorg | @CISAgov Technical Advisory Council
sally paddles Profile picture @AlgoCompSynth@universeodon.com by znmeb Profile picture Aviva Gabriel Profile picture Joe Hegyi 3rd 🇺🇲 ⚛️ 🕴️🌹 Profile picture Sam Dornan Profile picture 9 subscribed
Jun 23 6 tweets 4 min read
Spoofing (changing caller ID) takes less than a minute and can be done using apps available on the App Store.
Here we see Mark Cuban talking about getting tricked through a phone scam where the attacker spoofed a Google number (Google assistant) and took over his Gmail account🧵 Image The scam is simple, here’s the breakdown for your family, friends, team, etc with an example video at the bottom:
1. Attacker finds your phone number in data breach or on data brokerage site
2. Attacker sets up which phone number to display on your caller ID with a spoofing app from the App Store (cheap and simple)
3. Attacker places call to victim and pretends they’re with Customer Support (in this case, recovery support at Google), which displays a “Google” number on victim’s caller ID
4. Attacker says there has been an incident on your account and to follow the steps with them to recover access
5. Victim gives attacker details like password, MFA code, or account recovery details to “protect the account from compromise” (in reality, this is the attack itself, of course)
6. Attacker takes over the account and now can do anything victim used to be able to do on account (email in threads and attack others, request fraudulent wire transfers, steal all data, etc)
7. Typically the victim struggles to regain access to their account and the attacker hits many on their contact list
8. Because Mark Cuban is who he is, he was able to regain access with special support that most others would not receive.

Example spoofing phone call attack video below:

Next, let’s discuss how to prevent yourself or others falling for this attack.
May 31 5 tweets 2 min read
I need to explain how AI text to sound effect can be used by criminals to make their kidnapping or bail-related scams believable.
In the wild, we’re seeing “female scream” or “young boy screaming specific name” used in AI voice cloning phone attacks with phone number spoofing 🧵 We’re already seeing these generic scream-related sound effects used in criminals pretexts to convince the call receiver that their loved one is truly in trouble and to send money without question.
As AI evolves, we’ll see more and more believable and specific sounds in use.
May 13 6 tweets 2 min read
lol leveraging this real time translator to phish via phone calls in the target’s preferred language in 3…2… So far, AI has been used for believable translations in phishing emails — E.g. my Icelandic customers are seeing a massive increase in phishing in their language in 2024. Before only 350,000 or so people comfortably spoke Icelandic correctly, now AI can do it for the attacker,
Mar 30 5 tweets 4 min read
How was social engineering potentially used in the open source security vulnerability? And more
Let's break down the open source security vulnerability (in xz/liblzma) that caused massive upstream supply chain risk & could have allowed the attacker the ability to compromise machines, steal data, attack other machines, destroy info, etc.Date: Fri, 29 Mar 2024 08:51:26 -0700 From: Andres Freund <andres@...razel.de> To: oss-security@...ts.openwall.com Subject: backdoor in upstream xz/liblzma leading to ssh server compromise Hi, After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored. At first I thought this was a compromise of debian's package, but it turns out to be upstream. 1. Was the contributor Malicious, Compromised, or Coerced? Let’s talk Occam’s Razor
We don’t know everything yet so let’s take into consideration Occam’s Razor -- the simplest explanation is the most likely explanation so it’s likely that the contributor of the vulnerable code is the malicious actor themselves, but we can acknowledge it’s possible that he was coerced or compromised.
However, it’s important to note this contributor tried to get this library included in the Fedora Linux Distro and worked with them diligently to fix it to their liking, so it seems unlikely to many that it was a simple account compromise/account takeover.User states: Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6. added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo. He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of ...
Feb 17 12 tweets 7 min read
Everyone's talking about the woman who put $50k in a shoebox and handed it to scammers and how they wouldn't fall for it. It would shock you how many everyday people have embarrassing scam stories.
I can't help once the scams over, but I can help you Spot The Scam upfront: Image Let’s go thru the anatomy of a scam, we’ll call this The Shoebox Scam.

1. Spoofing customer service:
we’ve seen a major increase in attacks starting with a phone call in the last few years. It’s easy to make the caller ID say anything with spoofing technology you can download on the App Store. Spoofing takes less than 30 seconds to set up and costs about a dollar per call.
When hacking, we often pretend to be someone trying to help you, to encourage you to give up sensitive info about yourself, your account, your money, etc.

Notice that the attacker was a polite woman to start off this scam, not mean and cruel but helpful. Mimicking real customer support interactions when loss prevention calls.
thecut.com/article/amazon…Image
Feb 15 4 tweets 3 min read
AI text-to-video is here and we need to discuss the risks.
They mention in this thread that they’re considering the ways adversaries would leverage this content to harm thru red teaming but I’m still concerned.
My biggest concern is how this content could be used to trick, manipulate, phish, and confuse the general public.
- for example, imagine an adversary uses this tool to build an AI video that appears to show a vaccine side effect that doesn’t exist
- imagine an adversary uses this tool to show unimaginably long lines in bad weather to convince people it’s not worth it to head out to vote that day
This tool is going to be massively challenging to test and control under many, let alone most, adversarial conditions. In their post, they discuss rules they’re implementing to limit adversarial use of this text-to-video tool like limiting extreme violence, celebrity likeness, hateful imagery, etc.
But take my example above, prompting this AI tool for “a video of a very long line of people waiting in a torrential downpour outside a building” isn’t in violation of these policies — the danger is in how it’s used.

If that AI generated video of an impossibly long line of people in torrential downpour is used by an adversary to post on social media on the Election Day, now it could be used to convince certain folks to stay home and avoid the polls and line/weather.Image
Jan 10 6 tweets 6 min read
*Account Takeover Prevention Guide*
If you watched the SEC account hack that moved markets yesterday & wondered how to prevent account takeover for your personal, business, or high profile social media account, here's an Account Takeover Prevention Guide for you and/or your org. SEC Tweet that reads: The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products. 1. *Remove phone number from Twitter account to prevent SIM swap and account takeover through phone number password reset flow*
Settings and Support > Settings and Privacy > Your Account > Account Information > Remove Phone Number in Phone Number field
On Twitter specifically, there's a vulnerability affecting higher profile accounts or accounts with the new style of checkmarks. If they want to be "verified" they have to add a phone number to do so, but this significantly increases risk for their account due to SIM Swapping.
Many don't realize that when they add the phone number to become "verified" it *stays* on their account. Once that phone number is on the account, they then don't realize that the phone number can be used to completely reset the account's access through the phone number password reset flow (seen below in photo) and here online:
Criminals can takeover your phone number through a process calling SIM Swapping (calling your telephone company and taking over your phone number and account by pretending to be you).
This then allows the criminal to reset your password through the attacker controlled phone number, or siphon out SMS 2-factor codes sent to that phone number.
This is what Twitter effectively claims happened to SEC yesterday when their phone number was taken over to reset an account "without any 2 factor authentication" on the SEC account.help.twitter.com/en/managing-yo…Image
Oct 10, 2023 5 tweets 3 min read
Thank you @lorenzofb @TechCrunch for discussing the 23andMe intrusion with me.
Here’s a breakdown thread with more of my thoughts:
1. What happened in this data leak?
2. What can orgs proactively do to prevent similar intrusions?
3. What can individuals do to limit their risk of account takeover in similar ways on other sites?
1. What happened in this data leak?

Cyber criminals were able to find passwords that were involved in other breaches online and use a method called “credential stuffing” to attempt those previously breached and reused passwords on 23andMe to login as other users.
Unfortunately, most folks reuse their passwords across many sites and apps and when those passwords are stolen they can be used to gain access to your account anywhere else the password is used online.
The attackers took the passwords from other breaches, stuffed them into 23andMe and then used an opt-in feature called DNA Relatives to enumerate genetic data of similar groups.
23andMe doesn’t yet appear to be hacked itself, rather the formerly breached passwords reused by the 23andMe users allowed the attacker to gain access to user accounts by logging in as the user and stealing sensitive genetic data.
Sep 13, 2023 11 tweets 3 min read
One of the easiest ways for me to hack is simply:
1. Look up who works at a org on LinkedIn
2. Call Help Desk (spoof phone number of person I’m impersonating)
3. Tell Help Desk I lost access to work account & help me get back in

I hope we learn more & get confirmation of methods The threat actors claim this was their attack method to compromise MGM Resorts. I’m sure we’ll learn details soon.
For now I’ll say that the attack method they claim worked for them does indeed work for me often. Most orgs aren’t ready for phone based social engineering.
May 21, 2023 7 tweets 2 min read
Here’s how I used AI to clone a 60 Minutes correspondent’s voice to trick a colleague into handing over her passport number. I cloned Sharyn’s voice then manipulated the caller ID to show Sharyn’s name with a spoofing tool.
The hack took 5 minutes total for me to steal the info. How to stay safe?
1. Make sure your folks know that caller ID is easily faked. Voices can also now be impersonated.
2. If they receive a dire call from “you”, verify it’s really you w/ another method of communication (text, DM, FT, call, etc) before action (like sending money).
Mar 16, 2023 6 tweets 2 min read
Some say they feel nervous to use a password manager -- if that feeling is leading you to be less safe & reuse passwords (which btw is the easiest way for me to hack you bc that pw gets breached), then try this trick:
🧂Salt your password manager passwords🧂
Here's the trick: Use your pw manager to generate long, random & unique passwords for each site -- store those passwords in the password manager. Then you have a special code (words, letters, numbers, etc) that you add at the beginning, middle or end of those passwords yourself while logging in.
Mar 16, 2023 5 tweets 2 min read
5 days until Twitter auto unenrolls users who haven’t paid from the SMS 2FA that they enabled on their account. Yes, SMS 2FA users could switch to app-based MFA (or security key), but many won’t because they don’t care to, aren’t aware, or aren’t sure what this is all about. Twitter’s blog post about requiring payment for SMS 2FA is Removing security tools access, especially the tool that folks use the most frequently and understand right now, makes the internet as a whole a less secure place and increases fraud. Only 2.6% of Twitter users have any MFA on at all & of that small percent 74.4% use SMS 2FA.
Mar 10, 2023 7 tweets 4 min read
*Phish Incoming Alert*
Former Silicon Valley Bank users —
your bank closing will likely be used as a phishing pretext by cyber criminals over email, text message, and phone call. Financial fear tricks folks fast.
Slow down & verify any email/text/call is legit before taking… twitter.com/i/web/status/1… The “SVB closing, take action” related phishing messages will likely have a sense of urgency (like “click here to claim funds in the next 24 hours”). Verify the message is legit before clicking and handing over credentials, wiring money, sending sensitive banking info, etc.
Feb 21, 2023 5 tweets 3 min read
Ask A Hacker: "Rachel, is it actually a big deal if I Google my name and my email address or phone number pop up. Why could that matter for someone like me?"
It can matter because many services you trust still use knowledge based authentication (KBA -- info like email… twitter.com/i/web/status/1… For most folks I can quickly Google your name and find your email address, phone number, date of birth, etc from a data brokerage site. These sites make a profit by scraping your private details and selling it to people. Not cool at all. What can we do support.google.com/websearch/trou…twitter.com/i/web/status/1…
Feb 19, 2023 8 tweets 3 min read
*Facebook / Instagram Paid Verification*
Implementation differences so far:
- Focus on ID verification from the start (missing in Twitter's roll out)
- Focus on decreasing impersonation (was the biggest concern come-to-life w/ Twitter's roll out)
- 2FA required (hoped for this) ImageImage Do I think paid verification is the best idea in the world? I don't.
But I'm not a Product Manager so I'll focus on the cybersecurity elements of this roll out.
ID is *essential* in pay-to-play verification, otherwise impersonation goes wild (like we saw in the Twitter roll out) Fake Eli Lilly Twitter impe...
Feb 18, 2023 6 tweets 2 min read
Continuing to see SMS increase as 1st vector tried in hacking — recently was attempted on @coinbase:
1. Attacker sends text to employee phone with urgent “sign in required” impersonating SSO/dashboard
2. Follow with IT Support impersonation call to victim
coinbase.com/blog/social-en… So, “how are these attackers getting my employees phone numbers?!”
When I’m asked to hack here’s how I find contact details:
A. LinkedIn to figure out who works at the target org
B. Contact details often has phone number on LI, if none find phone number on data brokerage site
Feb 18, 2023 18 tweets 6 min read
This Twitter 2FA change is nerve-racking because:
1. Only ~2.6% of Twitter users have 2FA on at all (it’s essential for preventing easy account takeover)
Of those 2.6%, 74% use text message based 2FA (transparency.twitter.com/en/reports/acc…)
If they don’t pay for Blue they auto lose 2FA on 3/20. Coupling essential security features with the requirement to pay, esp for the most used option of SMS 2FA, is not the right move.

Should higher threat model folks use app-based MFA/keys? YES!

Should we require all folks to PAY or lose out on the 2FA they already enrolled in? No
Oct 25, 2022 7 tweets 3 min read
*New takedown tool*
It’s easy to hack into accounts bc we can find most email/phone online, plug those into data breaches, then find passwords & login as you.
🔒Google launched a new tool for sensitive detail takedown requests🔒Here’s how to remove your contact info for free: Start by googling your name...Then scroll down and in the...Tell Google why you want to... First step: google your name then the word(s) address OR phone number OR email address. You’ll likely see many data brokerage sites selling your personal and work email addresses, phone numbers and addresses. Click the 3 dots to the right of each result. Image
Jul 23, 2022 8 tweets 2 min read
This breach may allow a person to easily search up and find email addresses and phone numbers for 5.4 million Twitter users — so it’s important to be extra skeptical of emails and texts claiming to be “Twitter” requesting things like a password update, etc bleepingcomputer.com/news/security/… Folks are often tricked by phishing messages because they contain details believed to be secret (ie referencing the phone or email on the account). In many cases phone & email are findable by criminals and can be used to build credibility in phishing messages and trick people.