Originally published at: British Army's YouTube and Twitter accounts hacked by NFT hucksters | Boing Boing
…
The world is a weird place.
“Y tho?”
…If you’re gullible enough to be interested in joining the British Army you may be gullible enough to invest in cryptocurrency.
“Romeo Alpha ten, this is Foxtrot Oscar niner, target 17VZNX1SN5NtKa8UQFxwQbFeFc3iqRYhem, 15 rounds HE, fire for effect, over.”
Yep, Web3 continues to go just great.
Unless there’s a devil in the details somewhere(I believe that they used to make having a weak ‘recovery’ mechanism mandatory even if you were using a FIDO key; but they say that they don’t do that anymore) it looks like Twitter supports a more or less adequate set of MFA options; so I’m curious about just how badly the army managed to screw it up.
Someone SIM-swap the social media intern? Weak shared password? Some sort of 3rd party account management tool with API keys left around randomly?
In fairness to the British Army’s target audience for recruitment, they are children.
The British Army is well practiced at punitive expeditions.
Let’s hope they’ve enabled two factor authentication on the nuclear missiles.
Who runs it? Crapita?
Wouldn’t surprise me. (They do run recruitment for the British Army.)
XKCD for everything…
And what a terrific job they’ve been doing:
“You know this crypto is legit, as they hacked the army twitter feed and their mascot is an ape dressed up like the joker!”
Perfect day to imagine Graham Chapman in character as the angry colonel bellowing HOW DARE YOU.
“You’ve got a nice web site here, colonel.”
It’s even simpler than that. The gambit is simply “any sizable audience will have a percentage of people that will fall for our pump-and-dump scheme”.
These cryptobros are out looking for any audience of captive eyeballs. Planet Money recently did a story about how the largest forum for backyard chicken enthusiasts on Facebook suddenly turned into a crypto scam. The moderator of the forum got into crypto and realized he had this huge set of captive eyeballs for a P-and-D, so he simply converted the forum to one about crypto. As you can imagine, everyone was super mad, but it was worth it to him to maybe get some marks out of it.
That’s all they want though, is eyeballs.
They probably didn’t have MFA set up and got phished. That’s 99% of how accounts on any platform are stolen these days. It’s still the easiest way. People don’t bother with MFA, and sooner or later someone in the org who knows the credentials clicks that official-looking link in that email from twittter.com…
This topic was automatically closed after 5 days. New replies are no longer allowed.