Bizarre Essex Police #cyberaware Tweet Mystery

Fake Twitter Verification Profile leads to Phishing, Credit Card Theft

The lure of having your Twitter account verified is too much for some people to resist, and sure enough we’ve come across a bogus Twitter account harbouring a nasty surprise for anybody taken in by their fakery.

Twitter account “Verified6379” claims to be an “Official Verification Page” with a link to a shortened Goo.gl URL. The site it directs visitors to is

verifiedaccounts(dot)byethost9(dot)com/go(dot)html

Here’s the Twitter feed in question:

Fake Twitter Verification Feed

The Goo.gl URL has been rather popular over the last month, to say the least:

Fake Verification Page Stats

17,070 clicks this month, and 18,059 in total. This week has seen 3,000+ click the link so far, with the majority of visitors coming from the US and UK.

What do those with a thirst for verification see upon hitting the page? A rather nasty double whammy of phishing and payment information theft.

First up, the phish which ask for username, password and email along with questions about why the victim thinks they should be verified, if they’ve ever been suspended and how many followers they have.

Note that once the accounts have been compromised, information such as follower count makes it easy for the phisher to work out which are the best ones to use to spread more malicious links.

First stage of Twitter Phish

 

After this, the verification hunter will be presented with the below screen:

Fake site asking for card info

The page reads as follows:

Congratulations! You are one step away from being verified, please understand we require each user to pay the $4.99 verification fee. Processing this fee allows us to verify your identity much faster.

Uh oh.

They then go on to ask for card number, expiration date, CVV, name, address, phone number, state, country and zip code along with a confirmation email.

There’s no way to know how many people completed all of the steps, but there’s potential here for the scammers to have made off with quite the haul of stolen accounts and pilfered payment credentials.

Note that the so-called payment page doesn’t have a secured connection either, so if a third-party happened to be snooping traffic and you were on an insecure connection there’d now be two people running around with your information instead of just one.

We’ve seen a number of possibly related accounts pushing out similar links, all offline / suspended at time of writing. There’s sure to be others floating around, so please be careful with your logins.

For more information on Twitter Verification, you should read their FAQ page. From a related article:

Twitter currently does not accept applications for verification. If we identify your account as being eligible, we will reach out to you to start the verification process.

The only Twitter feed you should pay any attention to with regards the little blue tick is the Official Verification account – anybody else should be treated with caution, especially if asking for logins via Direct Message or websites asking for credentials and / or payment information.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.