Phishing emails increasingly target verified Twitter accounts with emails designed to steal their account credentials, as shown by numerous ongoing campaigns conducted by threat actors.
Verified accounts on Twitter are designated by a blue check next to their name, which indicates account holders are notable influencers, celebrities, politicians, journalists, activists, and government and private organizations.
To receive this ‘blue badge,’ Twitter users must apply for verification, which entails submitting additional information, including ID cards, website references, and other reasons that make your account ‘notable.’
These accounts typically have many followers or are considered “authorative” in some circles and thus are highly sought after by threat actors to promote scam campaigns and malicious activity.
At the same time, as it’s not easy to gain a blue badge, emails warning that Twitter will take it away tend to cause people to react quickly without analyzing the message properly for signs of suspicious behavior quickly.
Targeting verified Twitter users
Over the past week, numerous reporters at BleepingComputer have been targeted with phishing emails pretending to be from Twitter Verified – Twitter’s verified account platform.
These emails say that there is a problem with the recipient’s verified account and that they should click on the ‘Check notifications’ to learn more about what’s wrong.
The phishing emails warn that ignoring this message could lead to the account’s suspension.
Clicking on the ‘Check notifications’ button brings the recipient to a page prompting them to enter their login credentials. Additionally, the page will prompt users to enter their credentials twice, which the threat actors use to verify that incorrect information wasn’t entered by mistake.
After entering the credentials, the phishing kit will perform a password reset on your account using the inputted email address. The phishing page will prompt targets to enter a login verification code, which the threat actors will use to finish the password reset process.
While the phishing pages clearly do not belong to Twitter, mistakes happen in our often hectic lives, and victims commonly submit their credentials by accident.
Just yesterday, verified journalist Wudan Yan admitted to falling for a similar phishing scam targeting verified Twitter users promoted through DMs on the social site.
In a thread on Twitter, Yan shares her experience and how the threat actors changed her image, bio, and account name to appear to be Twitter and began sending further DMs to promote the scam to other users.
Thankfully, Yan could recover her account quickly, but others are not always so lucky or do not know their accounts were hacked.
In these cases, the accounts are commonly used to promote a variety of scams to their followers, usually cryptocurrency scams.
In 2021, threat actors performed a wide-scale breach of numerous verified Twitter accounts to promote a fake Elon Must cryptocurrency giveaway scam.
While you may think this is ridiculous and no one would fall for a scam like this, the threat actors earned over $580k in just one week.
As always, when receiving emails that lead to login forms, make sure to examine the URL of the landing page and make sure it corresponds to the company that allegedly sent you the email.
If there is any doubt, junk the email and contact the company directly to verify if the email was a scam.