Verified Twitter accounts are once again under attack from fraudsters, with the latest phish attempt serving up bogus suspension notices.
Hijacking verified accounts on any platform is a big win for fraudsters. It gives credibility to their scams, especially when the accounts have large followings. This has been a particularly popular tactic to promote NFTs and other crypto-centric scams.
Most recently, we saw hijacked verified accounts pushing messages claiming other verified users had been flagged for spamming. In that instance, compromised accounts were made to look like members of Twitter's support team.
Hate speech warnings via DM
This time around, the attack is less publicly visible, working its magic via DM instead of posting out in the open. The message sent to a Bleeping Computer reporter reads as follows:
Your account has been flagged as inauthentic and unsafe by our automated system, spreading hate speech is against our terms of service. We at Twitter take the security of our platform very seriously. That's why were are suspending your account in 48h if you don't complete the authentication process. To authenticate your account, follow the link below.
The site, hidden behind a URL shortening service, claims visitors are logging in to "Twitter help center". Making use of Twitter APIs to call up the reporter's test account name, it then asks for their password. A "welcome back" message alongside an image of the reporter's profile picture makes it all seem that little more bit real.
The phishing site then asks for an email address, and appears to be checking behind the scenes to ensure you're entering valid details. No spamming the database with deliberately incorrect information here!
The fake site displays a message which claims the account has been proven to be authentic (and in a very twisted way, it has). At this point, the phished victim likely assumes all is well and goes about their day. Meanwhile, the phisher is free to do whatever they want with the now stolen account.
Be careful out there
Whether verified or not, treat warning messages claiming to be from anyone on social media with suspicion. If they're providing login links tied to threats of suspension, you're better off visiting the site and contacting support directly.