One of Elon Musk's proposed first moves after his Twitter takeover seems to have backfired, at least from a security perspective. A teaser by the platform proposing to charge users a monthly fee to have verified accounts confirming them as a public persona or entity — and thus earn the distinction of a coveted blue check mark by their account name — has spawned a phishing campaign aiming to take advantage of the controversy surrounding the move.
A number of Twitter users claim to have received phishing emails that use the lure of losing their verified status to try to fool them into supplying their credentials. The scam works via a Google doc made to look like a Twitter help page, according to users.
Several of those who were targeted (natch) took to Twitter to warn others about it on Monday, including two reporters: Zach Whittaker, security editor for TechCrunch, and Kevin Collier from NBC News.
"Twitter's ongoing verification chaos is now a cybersecurity problem," Whittaker tweeted, subsequently posting a report on TechCrunch about the scam. "It looks like some people (including in our newsroom) are getting crude phishing emails trying to trick people into turning over their Twitter credentials."
Collier reported that the email he received "apparently slipped right by Outlook's robust protections," though he himself was not fooled. "Didn't get me but I bet this gets somebody," Collier wrote in the post.
The email, according to screenshots both Whittaker and Collier posted, is sent from a Gmail account, twittercontactcenter[at]gmail.com, which Collier said is a "dead giveaway" that it's bogus. It warns the targeted user that "the verification badge will be $19.99 per month for some users after November 2, 2022," and that Twitter currently is unable to verify some "famous or well-known people."
The email goes on to inform targets that they need to provide a confirmation of who they are to receive the verification badge "for free," and provides a button to "Provide Information" and a link to the "Help Center" to find out about updated rules for the verification program.
Clicking on the button leads to a Google Doc with another link to a Google site that lets users host web content, according to Whittaker's report. The phishing page itself is designed to look like Twitter's help page and contains an embedded frame from another site, which is hosted by Beget, a Russian web hosting provider, according to the report.
The page asks users to provide their Twitter username, password, and phone number, which could allow an attacker to break into an account without two-factor authentication enabled.
To mitigate damage from the campaign, Google took swift action to take down the phishing site a short time after TechCrunch alerted the company, Whittaker wrote.
Capitalizing on Controversy
Security professionals noted that it's not surprising that a threat actor has taken advantage of the commotion currently surrounding Twitter. Leveraging a controversial situation that elicits an emotional response not only spells a cybercriminal opportunity, but also boosts the chance of a phishing campaign's success, Patrick Harr, CEO at SlashNext, an anti-phishing company, wrote in an email to Dark Reading.
"These types of social-engineering phishing attempts are very effective because they play on emotion and instigated immediate action," he said. "Before the victim has time to think if this is phishing, they quickly jump to action."
The obfuscation tactics used in the campaign also make it easier to hide from threat-detection engines because they likely won't flag Google Docs, a trusted service — which, at least in Collier's case, was exactly what happened, security professionals noted.
Indeed, the campaign and its ability to bypass email scanners stresses why it's important for people to remain vigilant when receiving emails from unknown sources, and protect all of their accounts with multifactor authentication (MFA) and other security buffers, observed Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM).
"Make sure you always use MFA, a password manager that creates strong unique passwords for every account, and never give over personal information or credentials details on websites without first verifying authenticity," he advised in an email to Dark Reading.
For his part, Musk in a tweet on Tuesday seemed to corroborate that implementing the controversial verification fee would be a first order of business — the news of which first surfaced in a report on The Verge Monday.
However, after some verified account holders claimed they would leave rather than pay the reported fee of $20 a month for their blue check mark — including high-profile users such as author Stephen King — Musk suggested lowering the price.
"Twitter's current lords & peasants system for who has or doesn't have a blue check mark is bull****," he tweeted. "Power to the people! Blue for $8/month."
Musk's mere purchase of Twitter in a $44 billion deal — after a highly publicized, months-long back-and-forth between the company and the multibillionaire founder of Tesla — has already drawn the derision of celebrity users of the platform, some of whom already told followers they were closing their accounts.
The verification debacle occurring now is just fuel for the fire, adding to a growing controversy that is likely music to the ears of threat actors, who thrive on social, political, and economic conflict as an opportunity to commit cybercrime, security professionals observed.
"Cybercriminals have long exploited volatile situations for their own gain, especially newsworthy, current events," noted Darren Guccione, CEO and co-founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. "The recent acquisition and upheaval at Twitter is the latest example."