Security researchers are advised to be on the lookout for scammers targeting their interest in the latest hard to obtain security testing tools. Flipper Zero, a slick looking portable multi-tool which frequently makes its way into the news, is one of the hottest pieces of kit around for security folks and fans of hardware generally.
It's also had some issues with regard to production, leading to a perfect storm of “I want this” butting heads with “This is a great opportunity for a bit of scamming”. Indeed, the device is currently listed as being sold out on the official portal. If you do have one to sell, you’re going to be very popular and this is something scammers can most definitely work with.
A world of fake Flippers
Security researcher Dominic Alvieri warns of fake Flipper Zero websites claiming to offer the product for sale.
The sites, promoted by imitation Twitter accounts, look very much like the real thing. Two of the accounts have deleted all of their Tweets and one account itself is now deleted. However, Bleeping Computer notes that the accounts had previously been responding to queries regarding availability.
A nice payday?
At least one known site is still online and “selling” non-existent Flipper devices. As the standard price for a Flipper Zero is $169, and the bogus site in the Bleeping Computer screenshot is $199, that could mean a very tidy profit for someone up to no good.
The payment process asks for a variety of personal information, with an eventual request for payment in various forms of cryptocurrency.
While the sites are being grouped under the banner of a phish, it could be that collection of security researcher data (or anyone else, for that matter) in this case is secondary to the desire to simply make some quick cash. This isn’t to say someone isn’t interested in the data; it could be revisited once the payments run their course (assuming anyone actually pays up. This hasn't happened yet).
Phishing for authenticity
At time of writing, Bleeping Computer mentions that no payments have yet been made to whoever is setting up these fake websites. Meanwhile, Flipper Zero has multiple problems across other social media sites like Instagram where a lack of verification for the Flipper account means there’s no way to report the (many) imitations.
Unfortunately it’s a case of our fishy friend experiencing a phishy time of things for the immediate future. If you’re on the lookout for new hardware, whether Flipper related or otherwise, always take steps to verify the legitimacy of links which come your way. Ironically, recent changes to Twitter’s verified profile status means that it’s not easy to do this anymore. In this case, doubly so as the official Flipper Zero account’s blue checkmark is a paid Twitter Blue account. This means that in theory anyone could have set it up if the Flipper Zero folks hadn't been fast enough. The good news is that the official Twitter account is linked from the official Flipper Zero website, so it's likely to be the real thing.
Plenty more phish in the sea? Let’s hope not.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.