In a new blog post researchers from Proofpoint have tracked a phishing campaign leveraging the concept of “Twitter Brand Verification”. Because the actors in this case are relying on paid, targeted ads on Twitter, users don’t need to do anything to see the phishing link. Attackers are increasing the sophistication of social engineering approaches and extending them across social channels. Users and brands need to be increasingly savvy to avoid getting snared by ads, accounts, and messages that initially look legitimate. While this attack was observed on Twitter, such a scam could be implemented on any social media platform that implements some form of account verification.
The full blog post can be found here, however key takeouts include:
- Attacker targets brand accounts
- Uses combination of fraudulent social impersonation to spread a phishing link along with a fraudulent domain name and website phishing to gather info.
- Preys on the knowledge that brands must verify their accounts to stand out from fraud, impersonation, and parody accounts.
- Uses paid advertisements to appear on users’ timelines
- Presence/branding is consistent with Twitter, both at the Twitter account stage and on the website level. Same branding, color schemes, terminology, etc.
- Asks for information relevant to social accounts to distract from what they are really after – in this case, both account credentials and a credit card
- Asks for a credit card for “identity verification purposes” – social engineered attack that ends with the attacker getting credit card information and a redirect to Twitter.com to reinforce the legitimacy.
“Verified accounts” are a powerful tool on Twitter to help brands differentiate themselves from fraudulent, impersonation, and parody accounts on the social media site. When an account is officially verified, it displays a special badge intended to reassure Twitter users that they are interacting with a genuine brand and not an impostor. Recently, however, threat actors are using the promise of verified accounts to lure users into a credit card phishing scheme.
Account verification is a process that Twitter manages for “accounts of public interest” and requires brands to go through multiple verification steps. The promise, then, of a quick verification process is attractive, especially to smaller businesses that potentially lack the resources to meet Twitter’s requirements for account verification. In this phishing attack, discovered by Proofpoint researchers in December, attackers place legitimate ads targeting brand managers and influencers with a link to a phishing site purporting to offer account verification.
The ads themselves come from an account that mimics the official Twitter support account, @support. The fraudulent account, @SupportForAll6, uses Twitter branding, logos, colors, etc., to increase the sense of authenticity, despite a very low number of followers and a suspect name.
Devin Redmond, Vice President, Social Media Security Solutions commented,
“We have known for while that Social Networking platforms elevate the Social Engineering risks that users will face, this attack takes it to another level by leveraging the platform’s own advertising system.”
For more information about the research and graphics please see the blog however let me know if you have any questions or want to speak to Proofpoint https://www.proofpoint.com/us/threat-insight/post/social-media-verification-phishing-scams-steal-credentials-credit-card-numbers