Over the past weeks, Elon Musk’s purchase of Twitter has drawn the attention of people worldwide, even those who are not using the platform.
One of many ideas Musk had while purchasing Twitter was to allow users to pay $8 per month and receive the blue check mark. Until this decision, only verified celebrities, companies, and journalists by Twitter, received the mark and it helped fight against fraud and identity theft incidents.
The idea that you can pay a minimal amount and get the mark can appeal to many people, but also, to threat actors and fraudsters worldwide.
As expected, threat actors used this option to open fake accounts of big companies and celebrities worldwide for the purpose of manipulating victims to download malicious content or utilizing phishing campaigns.
One of the most impersonated profiles on Twitter was, obviously, Twitter.
Multiple campaigns of threat actors impersonating to the platform’s official profile were witnessed as the fake profiles adverted fake cryptocurrency and NFTs campaigns (Figure 1).
These campaigns act as a delivery method to further phishing proceed luring the victim to submitting their crypto wallets credentials that eventually lead to theft if currencies and NFTs owned by the victim.
As mentioned, this new feature led to many fake profiles, but also provided ammunition and was a good leverage for malspam campaigners as well.
Threat actors used the new feature also to compromise and lure journalists, masquerading as a Twitter support team that demands payment for the badge or to “verify” their account by logging in to their account.
These emails lead to a fake Twitter login page that exfiltrates the victim’s credentials (Figure 2).
One of the victims of these campaigns is Eli Lilly & Company, the American pharmaceutical company.
Fake account of the company that purchased the badge announced in the name of the company that from now on insulin is free (Figure 3).
Whether if it was an innocent hoax or a malicious act, spreading this fake announcement hit the stoke price that went down significantly (Figure 4).
Although these campaigns were mainly utilized by fraudsters, it is fairly predictable that these techniques will take part in more “serious” campaigns of hacktivists and even ransomware groups.
More advanced threat actors were already witnessed looking to buy fake twitter accounts for social engineering purposes by the masses (Figure 5).
As Twitter quickly understand the problem this feature caused, they have decided to add the gray “official” label to prominent profiles such as Elon Musk, Coca-Cola and Amazon.
Changing the label to grey removes the possibly of impersonating only via buying the blue badge and help us define which profile was approved by Twitter and which profile purchased its badge.
This case is no different from any phishing or fraudulent email out there. What is notable is that once again, the cybercrime industry shows us how agile and adaptable it is.
- Like other phishing and fraud campaigns, the key to securing ourselves from this type of threat is awareness. Once we are able to “know the enemy” and understand its methods we can expect these techniques and prepare ourselves to react properly
- Overall vigilance is also recommended in this case. Any email that we receive, especially from Twitter, that requests for our credentials should raise our suspicions and we should look deeply into unusual details that might seem inauthentic such as the sender’s emails, typos, sense of urgency, etc.
- Although Twitter provided somewhat of a mitigation, there are still many influencers and known figures that are not verified by Twitter but still have the blue badge and these are the ones that are most likely to be impersonated. It is highly recommended to be extra careful with these accounts.