Google-owned security firm Mandiant spent several hours trying to regain control of its account on X (formerly known as Twitter) on Wednesday after an unknown scammer hijacked it and used it to spread a link that attempted to steal cryptocurrency from people who clicked on it.
“We are aware of the incident impacting the Mandiant X account and are working to resolve the issue,” company officials wrote in a statement. “We’ve since regained control over the account and are currently working on restoring it.” The statement didn’t answer questions asking if the company had determined how the account was compromised.
The hacked Mandiant account was initially used to masquerade as one belonging to Phantom, a company that offers a wallet for storing cryptocurrency. Posts on X encouraged people to visit a malicious website to see if their wallet was one of 250,000 that were eligible for an award of tokens. Over several hours, X employees played tug-of-war with the unknown scammer, with scam posts being removed only to reappear, according to people who followed the events.
-
Mandiant profile page claiming to be affiliated with “friendly crypto wallet” Phantom.
-
One of the scam posts spread by the hijacked Mandiant account.
Eventually, the scammer changed the @mandiant username and reappeared under a new username. After using the account to promote a fake website impersonating Phantom and promising free tokens, it posted the cryptic message: “check bookmarks when you get account back.” It also chided Mandiant to “change password please.”
-
Post saying “change password please”
-
Post saying to check bookmarks
At the time this post went live on Ars, the Mandiant profile displayed the message “This account doesn’t exist.”
Mandiant is one of the leading security companies and best known for helping clients investigate and recover from major network compromises. That vantage point gives it major insights into threat actors, many of them backed by nation-states, and the often previously unknown tactics, techniques, and procedures they use to compromise the security of some of the world’s most powerful and well-resourced organizations. Google purchased Mandiant in 2022 for $5.4 billion, which, at the time, was its second-biggest acquisition ever.
Many questions remain about Mandiant’s measures to secure its X account. Among them: Was it protected by a strong password and any form of two-factor authentication? Last month, someone claimed to have discovered the social media site was vulnerable to a “reflected XSS,” a type of vulnerability that can sometimes be used to compromise the security of accounts when a legitimate user currently logged in clicks on a malicious link in a different browser tab. The user said they reported the vulnerability through legitimate channels but that the submission didn’t qualify under the X bug bounty program.
“Clicking a crafted link or going to some crafted web pages would allow attackers to take over your account (posting, liking, updating your profile, deleting your account, etc.),” Chaofan Shou, a University of California at Berkeley Ph.D. candidate, wrote last month.
Attempts to reach Phantom for comment were unsuccessful.