Indian Medical Association Twitter Compromised
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
The Indian Medical Association Twitter account was breached, with the attacker rebranding it to look like Elon Musk and offering a cryptocurrency giveaway. This was a standard giveaway that offered 10 times the amount sent in. No funds were actually provided to victims. It is believed that nothing was recovered for those affected, who lost 5.75 bitcoins or ~$274k USD in total.
About Twitter
"The Indian Medical Association, with over 334,000 members, is a national voluntary organization of physicians in India. The Indian Council of World Affairs is the country's first independent international affairs think tank. And Mann Deshi Bank is a cooperative bank that aims to financially empower rural women in the country."
"The first fraudulent post following the account takeover of the Indian Medical Association appeared at 0155 hours, Indian Standard Time. The hacker, posing as Elon Musk, wrote: "We here at Tesla HQ came up with a nice idea: to hold a special airdrop event of 5000 BTC for all crypto fans!""
"This was followed by hundreds of positive tweets being posted every other second - each one egging users to click on a Telegram link advertising giveaways of Bitcoins, Ether, Dogecoins and Shiba Inu coins."
"To entice users to send bitcoins, the scammers created fake discussion threads that show people earning 10 times the invested amount in 10 minutes."
"Dua tells Information Security Media Group that the IMA's Twitter account is locked and the association has not been able to regain access. He says it has made a request to unlock the account but has not received a response."
"Dua says the IMA received a message from Twitter informing it that the account was locked when Twitter detected suspicious activity. Three or four people in the IMA had access to the password of its official Twitter account, according to Dua."
"Tweets on these accounts were found to post content promoting cryptocurrency. The Elon Musk name was added using special characters, instead of actual text, and with ICWA, IMA and Mann Deshi Mahila Bank accounts being verified, anyone could have been easily fooled by this."
The Reality
"Twitter Accounts of the Indian Medical Association, the Indian Council of World Affairs and Mann Deshi Mahila Bank were hacked last night, with the account being renamed as Elon Musk to lure people into fake crypto traps calling them gifts, stating “LOVE YOU GUYS!! MY GlFT HERE!!”."
The India Times reports that the Twitter accounts of the Indian Medical Association (IMA), the Indian Council of World Affairs (ICWA), and Mann Deshi Mahila Bank were hacked[1]. The hackers changed the account names to "Elon Musk" and posted tweets promoting cryptocurrency, luring users into fake crypto schemes. The special character manipulation made the hacked accounts appear legitimate due to their verified status. The breach might have occurred due to compromised passwords or someone clicking on malicious links granting unauthorized access. Although the Elon Musk names have been removed, the hackers continue to post fake crypto content and engage with users. The incident was compared to the recent Twitter hack that affected verified accounts like Elon Musk, Barack Obama, and Apple and the recent hacking of Prime Minister Modi's account, which similarly featured cryptocurrency-related posts after his public statements on the subject. The cybersecurity arm of India's Ministry of Electronics and Information Technology, CERT-In, is investigating.
India Today reports that the Twitter accounts of the Indian Council of World Affairs (ICWA), Indian Medical Association (IMA), and Mann Deshi Mahila Bank were hacked, with the hackers changing the account name to 'Elon Musk'. The compromised accounts posted tweets promoting cryptocurrency, similar to a previous incident involving Prime Minister Narendra Modi's hacked account. The breach could have occurred due to compromised passwords or clicking on malicious links. While the ICWA account was restored, the IMA and Mann Deshi Mahila Bank accounts still display malicious tweets. The matter is under investigation by CERT-IN, the IT security group of the Ministry of Electronics and Information Technology[2].
"Although it is evident that the tweets promising bitcoin giveaways on the three targeted Twitter accounts were phony - "Elon Musk" is misspelled, and there is a gray tick in place of a blue tick - blockchain analytics site Blockchair shows that 31 victims sent a total of 5.75 bitcoins, or $273,848, to the fraudulent Bitcoin address."
On January 3, 2022, the official Twitter accounts of the Indian Medical Association (@IMAIndiaOrg), Indian Council of World Affairs (@ICWA_NewDelhi), and Mann Deshi Bank (@MannDeshiOrg) were compromised in a series of cryptocurrency-related hacks. The Indian Medical Association is a national organization of physicians in India, the Indian Council of World Affairs is an independent international affairs think tank, and Mann Deshi Bank is a cooperative bank empowering rural women.[3]
Yogesh Dua, a member of the team managing IMA's social media, confirmed that the IMA's Twitter account was hacked. The account was locked, and efforts to regain access have not been successful. A suspicious activity alert from Twitter triggered the lock. Dua noted that three or four individuals within IMA had access to the account password.[3]
While it's unclear whether the other compromises resulted from hacks or compromised passwords, all three accounts were targeted by the same attacker, with crypto scam content posted. Only the Indian Council of World Affairs' Twitter account managed to delete the fraudulent content.[3]
The hack involved a fake post from a hacked Indian Medical Association account, claiming to be from Elon Musk, offering a crypto giveaway event. Positive tweets and a Telegram link for cryptocurrency giveaways followed. The scam required potential victims to send bitcoins to a specific address, promising returns on investment.[3]
Though the giveaway tweets were obviously fraudulent, some victims sent bitcoins to the scammers' address. The incident emphasizes the need for strong password management, multifactor authentication, and proper access controls for social media accounts to prevent such breaches[3].
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| January 2nd, 2022 7:15:00 PM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| January 2nd, 2022 12:07:04 PM MST | India Today Article | India Today reports that the Twitter accounts of the Indian Council of World Affairs (ICWA), Indian Medical Association (IMA), and Mann Deshi Mahila Bank were hacked, with the hackers changing the account name to 'Elon Musk'. The compromised accounts posted tweets promoting cryptocurrency, similar to a previous incident involving Prime Minister Narendra Modi's hacked account. The breach could have occurred due to compromised passwords or clicking on malicious links. While the ICWA account was restored, the IMA and Mann Deshi Mahila Bank accounts still display malicious tweets. The matter is under investigation by CERT-IN, the IT security group of the Ministry of Electronics and Information Technology[2]. |
| January 2nd, 2022 10:46:42 PM MST | India Times Article | The India Times reports that the Twitter accounts of the Indian Medical Association (IMA), the Indian Council of World Affairs (ICWA), and Mann Deshi Mahila Bank were hacked[1]. The hackers changed the account names to "Elon Musk" and posted tweets promoting cryptocurrency, luring users into fake crypto schemes. The special character manipulation made the hacked accounts appear legitimate due to their verified status. The breach might have occurred due to compromised passwords or someone clicking on malicious links granting unauthorized access. Although the Elon Musk names have been removed, the hackers continue to post fake crypto content and engage with users. The incident was compared to the recent Twitter hack that affected verified accounts like Elon Musk, Barack Obama, and Apple and the recent hacking of Prime Minister Modi's account, which similarly featured cryptocurrency-related posts after his public statements on the subject. The cybersecurity arm of India's Ministry of Electronics and Information Technology, CERT-In, is investigating. |
| January 3rd, 2022 | Data Breach Today Article | Data Breach Today reports that the official Twitter accounts of the Indian Medical Association (@IMAIndiaOrg), Indian Council of World Affairs (@ICWA_NewDelhi), and Mann Deshi Bank (@MannDeshiOrg) were compromised in a series of cryptocurrency-related hacks. The Indian Medical Association is a national organization of physicians in India, the Indian Council of World Affairs is an independent international affairs think tank, and Mann Deshi Bank is a cooperative bank empowering rural women[3]. |
Technical Details
TBD
Total Amount Lost
"Although it is evident that the tweets promising bitcoin giveaways on the three targeted Twitter accounts were phony - "Elon Musk" is misspelled, and there is a gray tick in place of a blue tick - blockchain analytics site Blockchair shows that 31 victims sent a total of 5.75 bitcoins, or $273,848, to the fraudulent Bitcoin address."
"ISMG could not determine if the incidents of account compromise at the Indian Council of World Affairs and Mann Deshi Bank were the result of a hack or a case of compromised passwords, but it appears that all three Twitter accounts were targeted by the same bad actor, as a series of crypto scam content appeared on all three accounts." "CERT-IN, the IT security group of the Ministry of Electronics and Information Technology, is looking into the matter."
The total amount lost has been estimated at $274,000 USD.
Immediate Reactions
TBD
Ultimate Outcome
"At the time of writing this, both IMA and ICWA accounts no longer have the Elon Musk name or photo on them. However, the bad actors have bombarded the accounts with fake crypto tweets, and have even commented on Elon Musk’s posts to lure people. It looks like it will take some time for the accounts to go back to their original state."
"ISMG could not determine if the incidents of account compromise at the Indian Council of World Affairs and Mann Deshi Bank were the result of a hack or a case of compromised passwords, but it appears that all three Twitter accounts were targeted by the same bad actor, as a series of crypto scam content appeared on all three accounts." "CERT-IN, the IT security group of the Ministry of Electronics and Information Technology, is looking into the matter."
"Sandip Kumar Panda, CEO and co-founder of Indian cybersecurity firm InstaSafe, tells ISMG that organizations are not paying enough attention to password management using multifactor authentication. "This is what happens when two or three people managing social media accounts gave access to the same password. And in all probability, the password might have been 'Welcome123.' Even script kiddies can crack easy passwords with brute-force attacks," he says."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
TBD
Individual Prevention Policies
Any entity claiming to be Elon Musk requires a high degree of scrutiny. Any entity claiming to send back more funds than you sent to them requires an even higher degree of scrutiny. While it is true that the Twitter accounts showed up with a verified checkmark, a large following, and the same profile photo and display name as Elon Musk, the actual usernames and profile pages were different. While the landing page provides a blockchain preview of funds, this can easily be validated as fake on the real blockchain.
Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Increased user education can help users avoid these common scams. An industry insurance fund can provide some assistance for users who are affected.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
Increased user education can help users avoid these common scams. An industry insurance fund can provide some assistance for users who are affected.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 Twitter Accounts Of Indian Medical Association, Council Of World Affairs Hacked - India Times (May 31, 2022)
- ↑ 2.0 2.1 Twitter accounts of Indian Medical Association, 2 others compromised, hackers rename it 'Elon Musk' - India Today (May 31, 2022)
- ↑ 3.0 3.1 3.2 3.3 3.4 3.5 Indian Medical Association's Twitter Account Compromised - Data Breach Today (Apr 29, 2022)