Elon Musk’s proposed first step after acquiring Twitter seems counterproductive, at least from a security standpoint. A trailer for the platform proposing to charge users a monthly fee to have verified accounts confirm they are a public figure or entity — thereby earning the coveted blue checkmark distinction by their account name — sparked a flurry of A phishing campaign designed to take advantage of the controversy surrounds the move.
Many Twitter users claimed to have received phishing emails that attempted to trick them into providing credentials using a lure that lost their verified status. According to users, the scam was carried out through a Google doc that looked like a Twitter help page.
On Monday, some of the natch took to Twitter to warn others, including two reporters: TechCrunch’s security editor Zach Whittaker and NBC News’ Kevin Collier.
“Twitter’s ongoing verification mess is now a cybersecurity concern,” Whitaker tweet, followed by a report on the scam on TechCrunch. “It looks like some people (including our newsroom) are getting crude phishing emails trying to trick people into handing over their Twitter credentials.”
Collier reported that the emails he received were “apparently overshadowed by Outlook’s strong protections,” although he wasn’t fooled himself. “Didn’t get me, but I bet it would get someone,” Collier wrote in the post.
According to screenshots posted by Whittaker and Collier, the email was sent from the Gmail account twittercontactcenter[at]gmail.com, which Collier said was a “deadly giveaway” and it was fake. It warned targeted users that “after November 2, 2022, the verification badge for some users will be $19.99 per month” and that Twitter is currently unable to verify certain “celebrities or well-known people.”
The email goes on to notify targets that they need to confirm who they will receive a verification badge “for free”, and provides a “Provide Info” button and a “Help Center” link to learn about the rules for the updated verification program.
According to Whittaker’s report, clicking the button opens a Google Doc with another link to Google’s website, which allows users to host web content. The phishing page itself was designed to look like a Twitter help page and contained an embedded frame from another site, hosted by Russian web hosting provider Beget, the report said.
The page asks users to provide their Twitter username, password and phone number, which could allow attackers to break into accounts without two-factor authentication enabled.
To mitigate the damage from the campaign, Google moved quickly to take down the phishing site shortly after TechCrunch warned the company, Whittaker wrote.
Take advantage of disputes
Security experts point out that it’s not surprising that threat actors are taking advantage of the current commotion surrounding Twitter. Patrick Harr, CEO of anti-phishing firm SlashNext, wrote in an email to Dark Reading that exploiting controversial situations that elicit emotional responses not only means cybercrime opportunities, but also increases phishing chance of event success.
“These types of social engineering phishing attempts are very effective because they exploit emotion and incite immediate action,” he said. “Before victims have time to think about whether this is phishing, they act quickly.”
Security experts point out that the obfuscation tactics used in the campaign also make it easier to hide threat detection engines, as they may not flag the trusted service Google Docs — at least in Collier’s case, which is exactly what happened matter.
In fact, the campaign and its ability to bypass email scanners underscores why it is very important for people to be vigilant when receiving emails from unknown sources and protect all of their accounts with multi-factor authentication (MFA) and other security buffers. Important, Chief Security Officer Joseph Carson observed the scientist and consultant CISO of Privileged Access Management (PAM) provider Delinea.
In an email to Dark Reading, he advised: “Make sure you always use MFA, a password manager that creates strong, unique passwords for each account, and never without first verifying authenticity. Do not provide personal information or credential details on the website.”
For his part, Musk appeared to confirm in a tweet on Tuesday that implementing the controversial verification fee would be a priority — news that first appeared in a report in The Verge on Monday.
However, after some verified account holders claim they would leave rather than pay the $20 monthly reporting fee for their blue checkmark – including well-known users such as as author Stephen King — Musk suggested lowering prices.
“Twitter’s current lord and farmer system is a bull**** for whoever has or doesn’t have a blue checkmark,” he tweeted. “People Power! Blue is $8 a month.”
Musk’s acquisition of Twitter for just $44 billion — after months of hyper-publicity between the company and Tesla’s billionaire founder — has drawn jeers from the platform’s celebrity users , some of whom have told followers they are closing their accounts.
Security experts have observed that the validation failures that are happening now are just adding fuel to the fire, fueling a growing controversy that may be music to the ears of threat actors who thrive in social, political and economic conflict to as an opportunity to commit cybercrime.
“Cybercriminals have long exploited turbulent situations for personal gain, especially newsworthy current events,” noted Darren Guccione, CEO and co-founder of Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. “Recently Twitter’s acquisitions and turmoil are the latest example.”