Many phishing attempts currently target verified Twitter accounts. The latter try to steal the identifiers so they can resell the accounts.
“ Confirm your account by clicking on the form. If you don’t, […] your badge will be removed.” The tone of the email is threatening. I received it directly in my professional mailbox, the one I use every day in my work as a journalist at Numerama.
The message appears to come from Twitter Verified, the social network’s official service in charge of verifying accounts. But that’s not all I received. A few days later, an email told me that I needed to connect to Twitter, because the service “ Validation would have tried to reach me. ” Receiving a message from the Verification Service means there is a problem with your verified account », Specifies the email.
These two messages are not from Twitter, but from scammers trying to steal my credentials: this is phishing. This is not the first time that a phishing campaign has targeted social network users. However, this is the first time that several simultaneous phishing waves specifically targeting certified Twitter accounts have been observed.
To understand what is happening behind this new trend, I therefore willingly let myself be deceived by these phishing scams.
Phishing by email
I have identified several techniques to steal Twitter accounts.
The first was via email: I received two messages, a few days apart, using slightly different tactics. The first one appears to be sent by Twitter Services, which makes the phishing look pretty believable at first glance. However, the address used has a spelling error, and is a Gmail address. But these are invisible details without clicking on the sender.
The email invites me to connect to my Twitter account immediately, to confirm that I’m not a bot, otherwise I’ll lose my badge. This is a false reason: a Twitter badge can only be obtained when the social network teams have carried out all the necessary checks. However, the email invites me to click a button to confirm my identity, which takes me to a site that resembles Twitter.
This page is convincing and very similar to what the social network actually uses. Another detail that reinforces the credibility of the phishing: when I enter my username, the site displays the name displayed on my Twitter profile. If you confirm that it is you by providing your password, your identifiers have been stolen.
The second phishing said I received a notification from Twitter services. Again, the email explains to me that there is a risk of losing my badge, and invites me to connect to the site as soon as possible to keep it. Again, the email offers me to connect through a link that takes me to a very realistic page, where I have to enter a username and password. The page is, again, meant to steal them.
Direct phishing on Twitter
These aren’t the only phishing attacks I’ve encountered. A few days apart, a Frandroid journalist and another journalist from Numerama’s editorial staff received the same phishing attempts, this time directly on Twitter.
They both received a notification telling them that their account had been added to a list, named ” blacklisted accounts (ie “blacklisted accounts” in French). They were added by an account pretending to be Twitter, and used a certified badge image to boost its credibility.
A short description at the top of the listing explains that ” after careful review, we have determined that your account is not genuine “, and because of this blacklisted. ” If you think we made a mistake, you can appeal by following the link below. Otherwise, your badge will be permanently removed within the next 24 hours. “.
The two phishing attempts were carried out using different accounts, but both listings refer to the same site, with a rather convincing name: “ resolveappeal.com ” (that is ” appeal “). Of course, the site asks us to connect, and for that fill in the username and password. The goal is, again, to steal them.
What happens to accounts when they are hacked?
The proliferation of attempts in recent weeks is not insignificant, and it has raised many questions. First, how do scammers identify accounts to target? So far, there is no clear explanation. However, it is possible that they rely on the list of subscribers of TwitterVerifiedthe official account of the platform that tracks verified personalities.
Another question these phishing scams raise: why are scammers trying to steal them? The answer is simple: when credentials are stolen, scammers resell the accounts. In Telegram, there is a very active black market dedicated to the resale of verified Twitter accounts, and which The Verge investigated.
The media explained that many certified personalities have been deceived by these sophisticated phishing scams in recent months, and that their profiles have been resold on specialized Telegram channels. Scammers buy verified accounts and use the credibility offered by the blue badge to promote scams, often involving fraudulent NFT schemes.
These groups selling Twitter accounts are very easy to spot on Telegram, as Numerama was able to verify. A simple search is all it takes to get to public groups, sometimes with more than a thousand people, that offer verified accounts for auction — and there are certainly other private channels that do offer the same services. Even though some groups are probably scams, it shows in any case the great demand for Twitter accounts.
It must be said that NFT scams are big business: the equivalent of more than 100 million dollars was stolen in 2021 following NFT scams – in part thanks to the scams that took place on Twitter. The popularity of social network scams explains, at least in part, the increase in phishing attacks targeting verified accounts.
It’s not just Twitter where verified accounts are the target of elaborate phishing attacks. On YouTube, many videographers had their accounts stolen after a phishing attack. The hackers then completely changed it to look like it was Tesla’s or Elon Musk’s account, and carried out a fake life donation to attract victims. French Youtuber Michou found himself in this situation in April 2022, and saw his 7.2 million subscriber strong channel broadcasting a crypto scam.