Subscribe
By dfir-ent

Phishing for Prey: Shady Saviors

While I was browsing Twitter, I happened to glance over at “What’s happening” and saw Coinbase trending with 61k+ Tweets. As it does, curiosity struck and I fell into the Twitter wormhole we all know so well. After scrolling past a few tweets, I saw a Tweet from a random user named “Braixen” who tweeted a “phish for the phishers”. I have seen more and more of these tweets around recently, and it’s usually from people joking around and having a laugh at the automated bots that tell you to “message <person> to get your account back!” and then move along with their day.

https://twitter.com/SurfingTheAnime/status/1491264899074633731

This time, however, I decided I wanted to just snoop around and see what exactly these Twitter accounts (which are obviously compromised) are doing to deceive the innocent users seeking real support. As a reminder: Do not visit any site links that may be exposed in any pictures, and if you want to explore any of the information I have provided further, do so with caution.

Let’s break the scheme down into simple steps:

First: The attackers start by either compromising real user accounts, or creating alternative bot accounts. We’ll first start off by looking into the compromised accounts, as these are more beneficial due to them giving a false sense of security and trust to the victim. Once the attackers have accounts at their disposal, they move onto the second step which is the part that we can visually see ourselves.

Here is an example of a compromised account that was under the original Tweet I showcased above:

Upon further investigation, it seems that the victim's Instagram account was also compromised alongside the Twitter account. No posts, but at the time of me viewing there were 2 scam related stories posted on the account:

It’s very easy to see the characteristics that give away the fact that the account is compromised. The complete shift in posted content, the inactivity of direct postings, and obviously the spam reply that is botted onto any Tweet with the 2 words “Instagram” and “Hacked”. While it may be obvious to you and me, the average person who is in a desperate situation to get help with their issue will completely disregard these things.

Second: Now that the attackers have a way to actually reply to the victims that are in need of support, they proceed to shill out their fake responses. Before we move on, it’s important to note that these types of attacks come in all shapes and sizes. In this blogpost, I will be focusing on the ATO (Account Takeover) side of the scheme, as these usually pose much larger financial & long term damages to the victim. Here are just some of the different types of scams an attacker can use these responses to advertise:

  • Sugar Daddy/Mommy/Baby Scams
  • Fake “Hackers” that claim can help recover your lost/locked account
  • Support Account Impersonations
  • Digital Art (ie Fake Designers, Artists)
  • Schoolwork Services (ie Essay Writing, Exams)
  • Fake Refunds / Money Doubling Schemes
  • Fake Giveaway Scams (ie CashApp Scams)
  • Day Trader / Insider Trading Scams

And many more…

So… how do they know who to reply to? Usually, these bots are constantly scanning #’s, trends, @ mentions, and official Twitter pages to find any victim they can. For example, they scan for:

  • Keywords like: Wallet, Hacked, Coinbase, Metamask, Support, Binance etc.
  • Mentions like: @CoinbaseSupport, @MetaMaskSupport, etc.
  • Hashtags like: #CoinbaseWallet, #Coinbase
  • Any replies from official verified support accounts (Like @CoinbaseSupport & @MetaMaskSupport)

But what do they do now? That’s where step 3 comes into play.

Step 3: The Phish

Now that the bots have their target, all they need to do is plant the seed. However, seeds come in all different types of flavors. This next part is best described in examples through images that will be provided below:

These examples are probably the 2 most common types of phishing attempts you will see out in the open. The first one mentioned is fairly simple, impersonating and cloning an official support account to try and deceive users, where the attackers then proceed to get their credentials, and then hack the account. Then secondly, where there is a real “human” that replies, but is basically just social engineering the victim into filling out the private information into a form.

These scams are absolutely copied and pasted, and you will see a different variation every time as the attackers try to find new ways to bypass the platform's moderation.

So what can we do about this? Like the Cheats v.s. Anti-Cheats industry, this will always be an on-going battle of which side can be ahead of the curve, just until the other passes them up. Thankfully, more recently we have had companies (and government agencies) really push personal security out in the open in an attempt to inform the average user. Platforms themselves also have their own ways of fighting, but what if Twitter limited the “Send us a Private Message” reply button to verified accounts only?

But here’s where we can start: the root of the problem. The more compromised social media accounts, the more harmful content being pushed. If we can make a dent on the attackers main method of distributing the attack, phishing attempts will significantly decrease, which will (hopefully) lead to less people falling victim to the attacks. How can we do this though? Through more enforcement of Two Factor Authentication (2FA).

In a recent article from The Verge, they wrote “In October 2021, the company [Google] announced plans to turn on two-factor authentication by default for 150 million Google users who were not currently using the service and to require 2 million YouTube creators to use it. In the latest post, Google says it observed a 50 percent decrease in accounts being compromised among that test user group.” 50% is an awesome amount of people, and that hopefully only motivates companies more and more to mimic similar choices. One of the main platforms we took a look at today was Twitter, where the majority of the spam took place and started. The Verge states, “Twitter, which rolled out two-factor authentication in 2013, revealed in 2020 that only 2.3 percent of active accounts had enabled it; at Facebook, the figure was around 4 percent adoption in 2021.” Well now it just makes sense. I truly believe that the widespread adoption of 2FA can make changes like light and day. Combined with the product/company itself protecting and informing its user base, we can all collaboratively fight phishing attempts together.

🔗 https://blog.google/technology/safety-security/safer-internet-day-2022/ https://www.theverge.com/2022/2/8/22923618/google-account-hacks-dropped-half-two-step-authentication?utm_campaign=theverge&utm_content=entry&utm_medium=social&utm_source=twitter

I really hope you enjoyed reading my first post on my website. This is the first time I am doing something like this, so I hope that over time my little articles will only get better in quality. One thing I would like to note about my editing on the photos is that I intend to leave some characters on the handles visible. This gives the reader the ability to: see any possible correlation between accounts across different platforms and verify that 2 (or more) different messages are in fact coming from the same account while remaining to still keep the victim's identity private. Thank you for reading





Subscribe to Don't Click It!

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe