Phishing attacks targeting Twitter have spiked since Elon Musk’s takeover, cybersecurity analysts say. Criminals are using the changes to the Twitter Blue premium verification service, introduced by Musk in the wake of his $44bn acquisition of the platform, as cover to try and steal the credentials of users.
A notable increase in Twitter-related phishing campaigns attempting to steal Twitter credentials has been spotted in the past two weeks, according to researchers at cybersecurity vendor Proofpoint. Multiple campaigns have used lures related to Twitter verification or the new Twitter Blue product, such as ‘Twitter blue badge Billing Statement Available’, the Proofpoint team says.
Musk introduced an $8 monthly charge for the Twitter Blue service after taking over the company. Users who paid up were verified with the website’s well-known blue tick, and Musk has promised tweets from verified users will be prioritised on Twitter feeds. However, the scheme has been suspended after myriad problems with spoof accounts.
How Twitter phishing attacks work
Twitter phishing campaigns are using both Google Forms for data collection as well as URLs that redirect to infrastructure hosted by the criminals Sherrod DeGrippo, VP of threat research and detection, said.
“These campaigns typically target media and entertainment entities including journalists, and users who appear to be verified on Twitter. Often, the email address matches the Twitter handle used, and/or the email is available in the user’s Twitter bio,” DeGrippo said. “While we historically observed occasional Twitter credential phishing using verification-related lures from cybercrime threat actors, the activity has increased in recent weeks.”
Historically, a hacking group identified by Proofpoint as TA482 has regularly targeted media users with Twitter-related phishing. But when it comes to the most-targeted brands for these types of attacks, Twitter does not even make the top ten according to research released last month by another security company, Check Point Research, which says delivery service DHL is the most impersonated business for phishing scams, followed by Microsoft and LinkedIn.
But the takeover by Musk is likely to have made it a more prominent target for hackers, DeGrippo said. "It is not surprising threat actors are using Twitter-related lures," she explained. "Cybercriminal threat actors regularly use themes that are related to major news items and relevant to human interests as that may increase the likelihood of someone engaging with social engineering content.
"While there’s a lot going on at Twitter and the social media platform right now, gaining access to accounts is still lucrative. Legitimately verified Twitter accounts typically have larger audiences than the average user, and compromised accounts can be used to spread misinformation, urge users to engage with additionally malicious content like fraudulent cryptocurrency scams, and can be used to further phishing campaigns to other users."
De Grippo added that Twitter phishing could be used to launch “pig butchering” fraud, attacks that initially start on social media websites before pivoting to other services with the ultimate objective of stealing cryptocurrency. Proofpoint has noted a rise in this type of activity in recent months.
Twitter and cybercrime after Musk takeover
The new verification scheme introduced by Musk has been beset with problems, with people signing up and impersonating well-known brands. Both pharmaceutical company Eli Lilly and defence contractor Lockheed Martin saw their share price tumble last week when they were subjected to bogus tweets by spoof accounts in their company names. The verification service appears to have been paused following the incidents, and it is not known whether it will return in its current form.
It is not the only cybercrime problem facing Musk, who last week saw the company's CISO and head of trust and safety depart. The Tesla billionaire's commitment to free speech has led to fears that the platform will become a useful one for hackers selling stolen data, with ransomware gang Yanluowang having joined the platform last month to sell their wares.