An unknown threat actor is making the most of the confusion among Twitteratis regarding Twitter’s plans to charge users for verified badges. The hacker(s) reportedly targets Twitter users in a phishing campaign to steal credentials.
The phishing campaign was spotted by TechCrunch’s Zack Whittaker and NBC News’ Kevin Collier, who both have verified badges (blue ticks beside their names on the platform). They received said phishing emails from a threat actor masquerading as a member of the Twitter help desk.
Watch out for emails sent from twittercontactcenter @ gmail dot com wherein the phisher may claim that the user may lose their blue tick or pay $19.99 to keep it unless they “give a short confirmation” that they are indeed “famous or well-known people.”
Bravo to some hacker for the timely phishing lure, which apparently slipped right by Outlook’s robust protections. Twittercontactcenter@gmail is a bit of a giveaway, though. Didn’t get me but I bet this gets somebody. pic.twitter.com/yPzmYY5kic
— Kevin Collier (@kevincollier) October 31, 2022
The email contains a “Provide Information” button that takes targets to a Google Doc. Users are then redirected to a Google Site when they click on another link in the doc, which has fields for the username, password, and phone number associated with the Twitter account.
Since Elon Musk took over Twitter’s ownership last week, the company has already made visible changes, including the change in the home page of the social networking platform. Now, visiting twitter.com takes a user, who has not logged in, to the Explore page (trending tweets, news stories) instead of the sign-up form.
Phishing Pages for Twitter Users With Verified Badges | Source: Zack Whittaker
See More: Meta Lists 400 Credential-Stealing Mobile Apps That Compromised 1M Facebook Users
Musk, who calls himself Chief Twit and now Twitter Complaint Hotline Operator in his Twitter bio, has taken over executive duties as CEO (could be temporary), according to an SEC filing. He has also dissolved the board, making himself the company’s sole director, which he claims is temporary.
The Tesla and SpaceX CEO has maintained through the tumultuous months before closing the $44 billion acquisition of Twitter that it needs to get financially healthy. His rationale for a $19.99 subscription for a verified badge is that Twitter cannot rely on advertisers for revenue. “We need to pay the bills somehow!” Musk said, tabling the possibility of $8 for blue ticks.
I will explain the rationale in longer form before this is implemented. It is the only way to defeat the bots & trolls.
— Elon Musk (@elonmusk) November 1, 2022
Musk has also renamed Super Follows as Subscriptions and is considering bringing back Vine, the short-form video platform that Twitter acquired in October 2012 and discontinued four years later in October 2016.
It is unclear if some users would be exempt from paying for verified badges on Twitter. Until Twitter officially confirms the blue tick subscription service, and perhaps even after that, the possibility of more phishing lures cannot be ruled out.
After discovering this particular phishing campaign targeting blue ticks, TechCrunch reported it to Google, which took down the malicious pages.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock