How an Adelson Newspaper's Tweet Almost Made World Markets Crash

The hacked account of Israel Hayom claimed U.S. President Donald Trump had transferred power to VP Mike Pence – and revealed a massive cybersecurity blind spot, not for the first time this year

Omer Benjakob
Send in e-mailSend in e-mail
U.S. President Donald Trump standing alongside Sheldon Adelson before delivering remarks at the Israeli American Council National Summit in Hollywood, Florida, December 7, 2019.
U.S. President Donald Trump standing alongside Sheldon Adelson before delivering remarks at the Israeli American Council National Summit in Hollywood, Florida, December 7, 2019.Credit: LOREN ELLIOTT/REUTERS
Omer Benjakob

“Breaking: President Trump has transferred power to VP Pence via a written declaration before being transferred to the ICU in Walter Reed Hospital, according to officials in Israel [sic] embassy in Washington.” This fake tweet, posted from the English-language account of Sheldon Adelson’s Israel Hayom newspaper this week, sent shock waves across the media world. 

As the pro-Netanyahu paper is considered very close to the Trump administration, news that the Israeli Embassy had seemingly gotten wind of a deterioration in Trump’s condition sent journalists worldwide on a wild-goose chase – before the tweet was revealed to be a fraud. The newspaper later stated that its account was hacked. 

The incident was the latest in a string of hacks targeting prominent social media accounts, highlighting a massive blind spot in cybersecurity – one with potentially massive geopolitical and financial implications.

“This kind of incident reflects how fragile our Twitter-driven news system is,” said Omri Segev Moyal, who heads Israeli cybersecurity firm Profero.

“Only in mid-July, we witnessed firsthand how easy it was for a group of teenagers to hack Twitter’s internal system to gain access to and spread a simple Bitcoin scam,” he added.

Segev Moyal was referring to the large hack of over 130 Twitter accounts, including those of former President Barack Obama, Kanye West, Elon Musk and Bill Gates.

The attacker was eventually revealed to be Graham Ivan Clark, a 17-year-old teenage boy from Florida who used the online alias Kirk. Clark reportedly used what is called a “spearphishing attack” to ensnare Twitter. 

Phishing attacks dupe users into providing their own information – for example, by creating a fake log-in screen in which users inadvertently provide hackers with their log-in details. This was the technique used to gain access to Hillary Clinton’s email trove in 2015, for instance.

In this summer’s case, Clark actually managed to take advantage of Twitter’s mobile phone log-in system to attain administrator status, which gave him access to any account on Twitter. 

Graham Ivan Clark, 17, posing for a booking photo at Hillsborough County Jail in Tampa, Florida, U.S. July 31, 2020.
Graham Ivan Clark, 17, posing for a booking photo at Hillsborough County Jail in Tampa, Florida, U.S. July 31, 2020.Credit: Hillsborough County Sheriff's Office/Handout via REUTERS

The young hacker reportedly made over $100,000 in the cryptocurrency scam, highlighting how financially lucrative access to such accounts can be.

However, when it comes to issues of politics and defense, the outcome could be even more severe.

“Imagine if that was a targeted attack by a nation-state or financially motivated group with more resources to spread the news, for example, about a nuclear missile launch or that China is attacking Taiwan?” Segev Moyal said.

Such incidents have actually happened. In 2013, the Syrian Electronic Army – a hacker group linked to Syrian rebels – used a phishing scam to hack the Associated Press’ Twitter account and tweet: “Breaking: Two explosions in the White House and Barack Obama is injured.” 

As one of the most widely respected and syndicated news services in the world, the AP tweet caused the New York Stock Market to tumble 150 points in three minutes before restabilizing. According to one Bloomberg reporter, the “fake tweet erased $136 billion.”

A few months prior, another hack attributed to the group pushed out false reports that Syrian dictator Bashar Assad had died, causing oil prices to rise.

According to Segev Moyal, while most institutions defend their websites and internal systems with cybersecurity defenses, social media remains exposed. “Our social presence and branding should be considered as a critical point of attack and should be treated accordingly,” he said.

The cybersecurity expert added that it’s hard to know who hacked Israel Hayom’s Twitter account – or how – but said there are precautions that can be taken. “Everyone’s account must be protected with two-factor authentication, and passwords should be changed often,” he said.

Moreover, when multiple users operate a single brand account, as is the case with most media outlets, he suggested not sharing passwords within the organization. Instead, he said, “We recommend using social media platforms such as Hootsuite or TweetDeck, which only allow users the minimal access required.”

Though July’s attack actually targeted Twitter’s infrastructure, Segev Moyal said organizations can protect themselves by buying “anti-phishing attack products or regularly conducting employee-awareness tests that can improve organizations’ resiliency and prevent them from having a similar article to this one written about them.”

Ran Bar-Zik, who writes about cybersecurity for Haaretz and works for Verizon Media, said every journalist or newspaper’s official social media account should be considered a potential target.

“The posts or tweets made from a distinguished news outlet can create havoc and mayhem on the local or even global level,” he said. “In the past, we saw unknown foreign actors forging news articles in an attempt to interfere with Israeli politics. Fake Twitter accounts and sites tried to frame [Israeli politician] Avigdor Lieberman and even Prime Minister Benjamin Netanyahu’s son, Yair.

“Those attempts were thwarted because journalists and people noticed the sites were fakes,” he continued. “But if the attackers had access to a real newspaper’s Twitter account, the damage could be much worse.”

Comments