Twitter Publicity Leads to a Wave of Phishing 

Phishing campaigns have become an inescapable part of online life. Hardly a day goes by without a new version or variation landing in inboxes. So, it shouldn’t come as any surprise that opportunistic cybercriminals took aim at people seeking an $8 blue check on Twitter as soon as the new program was announced.

The subscription program — later abandoned amid a highly publicized series of changes made since Elon Musk took over the social media site — serves as a reminder that anyone can become a target and that legitimate-looking messages can be the work of cybergangs. This phishing campaign was significant for several reasons:

• It was highly opportunistic, exploiting publicity and confusion surrounding Twitter.
• The phishing emails were very polished to convince recipients to act.
• The emails were also able to evade detection by using trusted tools that security systems are not typically tuned to block.

The Mimecast Security Operations Center has analyzed the campaign in detail, offering useful lessons on the evolution of phishing. 

Anatomy of the Twitter Phishing Campaign

The phishing campaign took off on November 3 and 4, when global scanners spotted more than 300 emails requesting that Twitter subscribers click a “Go to your profile” link to convert their accounts to the new program. The message also implied that if the user didn’t act, the account would lose verified status. The exact number of emails that hit subscribers to the social media site is unknown.

In old-school phishing attacks, messages have tended to include misspelled words and lack the design elements of an actual email sent by a real company. However, this campaign was different. For one thing, the emails looked authentic. They were cleanly formatted and well written. For another, they were sent via MailerSend, a trusted transactional messaging service.

In all likelihood, the attackers used a compromised MailerSend account belonging to an established healthcare provider. Yet, their ingenuity didn’t stop there. The campaign was well-timed and highly targeted. It was launched as rumors were circulating about Twitter’s plans to change subscription models, and it targeted Twitter users who were already subscribed to the $4.99-per-month Twitter Blue service.

Clicking on the embedded “Go to your profile” link would open a browser run through a series of URL redirects that eventually led to the phishing page, which leveraged a WordPress blog page hijacked from an online clothing retailer. The phishing page presented an authentic-looking “Sign in to Twitter” pop-up box.

The most likely motive for the attack was to steal credentials and possibly credit card information which could later be used in other attacks or sold on the dark web.

A Mimecast analysis of the attack shows that accounts in the U.S. and U.K. were the primary targets. Interestingly, the attack began before Twitter had officially announced that the $8 blue check program had actually rolled out. 

What’s more, every recipient already had the previous $4.99 blue check that Twitter had offered through its earlier verification program. This indicates that the attackers had spent considerable effort researching, planning, and executing this phishing campaign.

Lessons from Twitter’s Teachable Moment

There’s no way to determine the success of this phishing attack, since end-to-end forensic visibility doesn’t exist. Yet, it appears messages reached the intended recipients. Three things are clear:

• The exploit slipped past several layers of security at various companies and providers, using trusted tools and redirects.
• Its emails looked more legitimate than typical phishing campaigns.
• The campaign capitalized on uncertainty and disruption related to a broad array of changes taking place at Twitter.

Twitter isn’t the only social media target these days. For example, an increasingly common attack related to LinkedIn exploits subscribers’ posts about their career moves. In this “new starter” impersonation scheme, the subscriber is targeted with a phishing email that appears to come from a “senior executive” at their new employer. Any employee falling for this scheme paves the way for attackers to steal their credentials, draw out other business information, or take over their email account. And that’s not the only LinkedIn exploit: Another one uses smart links in LinkedIn Premium to redirect victims to a malicious site.

Beyond social media, it's also important to remember that the opportunism attackers showed in exploiting Twitter publicity will continue to be a hallmark of phishing. In the past, cybergangs have notoriously preyed on COVID pandemic fears in phishing campaigns. Fast-forward to today, and homeowners in the U.K. are being phished with emails promising energy rebates, as their heating bills skyrocket. 

Protecting Against Evolving Phishing Attacks

Phishers will continue to victimize people and companies — with many of the same attacks continuing or evolving while new ones pop up. A two-pronged approach to protecting against these attacks includes:

• Protection. Successful attacks share common traits, as they trick people into clicking links, downloading malware, and divulging sensitive information. Security tools for dialing back the risk to your company include tighter browser controls and AI-powered scanners that can even detect previously unknown threat types.
• Awareness. Phishers are quick to adapt and change their methods. They’re also becoming better at impersonating companies. So, security awareness training is critical and needs to be regularly refreshed.

The Bottom Line

The recent phishing campaign directed at Twitter subscribers is the latest in a long series of opportunistic cyber exploits and a sign of attacks to come on social media. Phishing attacks are becoming more sophisticated and better orchestrated — often with authentic-looking emails arriving from compromised accounts at trusted sources. It’s critical to remain vigilant and use a combination of awareness training and technology to minimize the risk of a successful attack. Read how Mimecast analyzes more than 1.3 billion emails daily to protect against phishing.