Looking to exploit new Twitter owner Elon Musk’s declaration that the platform may start charging users for “verified” status and membership in the platform’s premium Blue service, cyber criminals are bombarding those users with scams.
“This presents a considerable financial and brand damage risk to organizations,” comments Matt Chiodi, chief trust officer of applications security platform Cerby. “Social media accounts are generally managed by marketing teams and can have access to hundreds of millions of corporate dollars for advertising. Not only could criminals siphon off that cash, they could defame a company’s Twitter profile with offensive content.”
Verified users are being hit with phishing attempts masquerading as notices from Twitter Services on their email accounts and on Twitter itself, according to posts by users and tech security media and experts.
“Bravo to some hacker for the timely phishing lure, which apparently slipped right by Outlook's robust protections,” tweeted NBC News reporter Kevin Collier (above). “Twittercontactcenter@gmail is a bit of a giveaway, though. Didn't get me but I bet this gets somebody.”
The scam emails attempt to get recipients to click on a link that will supposedly confirm their identities and keep them from losing their verified status.
Others have received messages on the Twitter site that claim to be a “removal notice.” The posts claim that the recipient’s status has been identified as inauthentic, and that the account holder must follow the link and file an appeal or their blue-badge status may be permanently removed within 24 hours.
“Attackers capitalize on high profile, chaotic events and changes to drive pretext for lures likes this,” Bugcrowd founder Casey Ellis told InfoSecurity. “This campaign is a reminder that it doesn’t need to be a hurricane, a pandemic, or other kind of calamity to trigger this kind of attacker behavior. I recommend using multi-factor authentication and ‘think twice, click once’ to help mitigate this.”
“The security industry and big tech need to do a better job at making security automatic,” stresses Cerby’s Chiodi. “For too long, we’ve blamed users for poor practices like clicking on phishing links. We haven’t learned that no matter the amount of security training, users aren’t the problem; it’s the technology we’ve created for them.
“None of the prominent social media platforms offer enterprise-grade authentication options to their billions of business and professional users,” he continues. “This is unacceptable for tools so widely used by consumers and critical to enterprises and democracy. These ‘unmanageable applications’ do not support security standards such as single sign-on or automated user creation and removal through a standard known as SCIM... it's one of the main reason criminals go after social accounts.
“Phishing will continue to grow until the world moves to passwordless,” Chiodi concludes. “Passwords aren’t the problem; it’s how users manage them since they have traditionally had no options to help automate the entire process from account creation to login. Two ways to solve this are security and privacy settings that are secure by default and automation.”