- Apr 21, 2016
- 3,460
This isn't the kind of thing you expect to see posted on the official Twitter account of Trezor, the well-known cryptocurrency wallet manufacturer.
It's a fairly blatant attempt to dupe unwary cryptocurrency fans into transfering digital currency into the wallet of a scammer.
And whoever hacked Trezor's Twitter account didn't limit themselves to just posting a scam. They also tweeted a highly offensive message.
Trezor quickly deleted the unauthorised tweets, and posted a warning to its 205,000 followers.
In a subsequent blog post, Trezor explained how its Twitter account had been compromised - despite the firm having sensible security precautions in place, such as strong passwords and multi-factor authentication.
According to Trezor, someone posing as "a credible entity from the crypto space", using a Twitter account with thousands of followers, approached its PR team on February 29, 2024. The imposter asked to interview Trezor CEO Matej Zak.
After several days of "credible back-and-forth communication", the attacker shared what appeared to be a Calendly invite link.
The scam link purported to be a way of scheduling a meeting via Calendly, but ultimately took Trezor's PR worker to Twitter instead, which asked them to enter their login credentials.
Sensing something was wrong, Trezor's team stopped without endangering their Twitter account.
Later, the attackers made another successful attempt to break into Trezor's Twitter account.
Feigning "technical issues", and a desire to reschedule the meeting, someone at Trezor was socially engineered into approving the authorisation request from the bogus Calendly app to connect with the official Trezor Twitter account.
Attackers could now use the fake Calendly app to post fraudulent tweets via Trezor's Twitter account.
Trezor emphasised to customers that it was only its Twitter account that was compromised by the security incident:
Nonetheless, it's not a good look for the firm to have its Twitter account exploited by cryptocurrency scammers and posting racist slurs.
Be cautious when third-party apps request access to social media accounts. I've had my own personal experience of my Twitter account being exploited by hackers via a rogue third-party service.
Trezor says that it revoked all active sessions (kicking out anyone with access to the Twitter account) as well as deleting the unauthorised posts, and prevented further access by revoking third-party apps.
Source: Trezor's Twitter account hijacked by cryptocurrency scammers via bogus Calendly invite
