Threat actors are hacking verified Twitter accounts to send fake but well-written suspension messages that attempt to steal other verified users’ credentials.
Twitter verifies accounts if they are considered notable influencers, celebrities, politicians, journalists, activists, and government and private organizations.
To receive the verified ‘blue badge,’ Twitter users must apply for verification and submit supporting documentation to show why their account is ‘notable.’
As it is not easy to gain a blue badge, threats of suspension can lead to people reacting without thinking, making them prime targets for threat actors who value these types of accounts for their own scams.
“We are suspending your account”
Friday afternoon, BleepingComputer reporter Sergiu Gatlan received a phishing scam via Twitter DMs that said his account was being suspended for spreading hate speech.
“Your account has been flagged as inauthentic and unsafe by our automated systems, spreading hate speech is against our terms of service,” reads the phishing message below.
“We at twitter take the security of our platform very seriously. That’s why we are suspending your account in 48h if you don’t complete the authentication process.”
To test the phishing scam, I visited the tinyurl.com address in the DM, which redirected me to https://twitter-safeguard-protection[.]info/appeal/.
This website first asked for a Twitter user name, and when we entered our test account, it used the Twitter APIs on the backend to retrieve my test account’s photo, as shown below. Displaying the legitimate picture adds legitimacy to the phishing scam.
Unlike numerous phishing scams that allow you to enter your password multiple times until it accepts it, this phishing site rejected incorrect passwords.
After entering the correct password, it prompted me for my account’s email address. Once again, fake email addresses were rejected, indicating that the phishing site is using Twitter APIs to check for valid account information.
The second stage of Twitter phishing attack
Finally, once I entered the correct information, the phishing page displayed a message stating, “Authenticity Check is completed, your account has been proved authentic by our automatic system, all current problems are resolved”.
At this point, though, my test account’s credentials have been stolen, which I promptly reset to a different one.
However, anyone who has gotten this far would not realize their credentials were stolen and would likely find that they can no longer log in to their account later that day or the next day.
No one falls for these scams!
Before you say that nobody falls for these scams, unfortunately, the proof they do is in the scam itself.
These scams are not only being sent to verified users but they are being sent by verified users whose accounts were hacked, likely through similar phishing scams.
It is also common to see users, including verified users, post to Twitter that they fell for a phishing attack, even when some of the victims are involved in cybersecurity.
Threat actors continue to evolve their tactics to make their attacks look legitimate, and by targeting verified users, they add a sense of urgency that may cause people to overlook suspicious signs.
Therefore, if you receive a message directing you to a site where they ask for your credentials, always take your time analyzing it for strange domain names, unusual typos, and bad grammar.
To be safe, only log in with your Twitter credentials on twitter.com and never on any other site.