Join our webinar hosted by Cyberint's CEO

Research

Twitter’s New Verified Badge Causes Security Issues

Executive Summary

Over the past weeks, Elon Musk’s purchase of Twitter has drawn the attention of people worldwide, even those who are not using the platform.

One of many ideas Musk had while purchasing Twitter was to allow users to pay $8 per month and receive the blue check mark. Until this decision, only verified celebrities, companies, and journalists by Twitter, received the mark and it helped fight against fraud and identity theft incidents.

The idea that you can pay a minimal amount and get the mark can appeal to many people, but also, to threat actors and fraudsters worldwide.

As expected, threat actors used this option to open fake accounts of big companies and celebrities worldwide for the purpose of manipulating victims to download malicious content or utilizing phishing campaigns.

Incidents

Twitter Impersonation

One of the most impersonated profiles on Twitter was, obviously, Twitter.

Multiple campaigns of threat actors impersonating to the platform’s official profile were witnessed as the fake profiles adverted fake cryptocurrency and NFTs campaigns (Figure 1).

Fake Twitter profile with a purchased badge.
Figure 1: Fake Twitter profile with a purchased badge.

These campaigns act as a delivery method to further phishing proceed luring the victim to submitting their crypto wallets credentials that eventually lead to theft if currencies and NFTs owned by the victim.

Fraud Emails

As mentioned, this new feature led to many fake profiles, but also provided ammunition and was a good leverage for malspam campaigners as well.

Threat actors used the new feature also to compromise and lure journalists, masquerading as a Twitter support team that demands payment for the badge or to “verify” their account by logging in to their account.

These emails lead to a fake Twitter login page that exfiltrates the victim’s credentials (Figure 2).

Phishing email sent to journalists
Figure 2: Phishing email sent to journalists

Commercial Damage

One of the victims of these campaigns is Eli Lilly & Company, the American pharmaceutical company.

Fake account of the company that purchased the badge announced in the name of the company that from now on insulin is free (Figure 3).

Eli Lilly and Company fake announcement
Figure 3: Eli Lilly and Company fake announcement

Whether if it was an innocent hoax or a malicious act, spreading this fake announcement hit the stoke price that went down significantly (Figure 4).

Eli Lilly and Company stoke price after the fake announcement
Figure 4: Eli Lilly and Company stoke price after the fake announcement

Although these campaigns were mainly utilized by fraudsters, it is fairly predictable that these techniques will take part in more “serious” campaigns of hacktivists and even ransomware groups.

More advanced threat actors were already witnessed looking to buy fake twitter accounts for social engineering purposes by the masses (Figure 5).

Threat actor announcing that he is looking to buy Twitter account with the blue badge on underground forum
Figure 5: Threat actor announcing that he is looking to buy Twitter account with the blue badge on underground forum

Twitter Mitigation

As Twitter quickly understand the problem this feature caused, they have decided to add the gray “official” label to prominent profiles such as Elon Musk, Coca-Cola and Amazon.

Changing the label to grey removes the possibly of impersonating only via buying the blue badge and help us define which profile was approved by Twitter and which profile purchased its badge.

Recommendations

This case is no different from any phishing or fraudulent email out there. What is notable is that once again, the cybercrime industry shows us how agile and adaptable it is.

  • Like other phishing and fraud campaigns, the key to securing ourselves from this type of threat is awareness. Once we are able to “know the enemy” and understand its methods we can expect these techniques and prepare ourselves to react properly
  • Overall vigilance is also recommended in this case. Any email that we receive, especially from Twitter, that requests for our credentials should raise our suspicions and we should look deeply into unusual details that might seem inauthentic such as the sender’s emails, typos, sense of urgency, etc.
  • Although Twitter provided somewhat of a mitigation, there are still many influencers and known figures that are not verified by Twitter but still have the blue badge and these are the ones that are most likely to be impersonated. It is highly recommended to be extra careful with these accounts.

Uncover your compromised credentials from the deep and dark web.

Fill in your business email to start.