Twitter Phishing Email Attack

With the ongoing uncertainty with Twitter verification, Cybercriminals are trying to take advantage of the confusion.  Emails are being sent from a Gmail account (twittercontactcenter) claiming to be from Twitter Services with a subject Re: Twitter Warning. The email claims Twitter users can keep their ‘free verified status’ if they confirm they are a ‘well-known person’ (what if I am a robot?).

The email is sent from a Gmail account, abd links to a Google Doc with another link to a Google Site, which lets users host web content. This is likely to create several layers of obfuscation to make it more difficult for Google to detect abuse using its automatic scanning tools. But the page itself contains an embedded frame from another site, hosted on a Russian web host Beget, which asks for the user’s Twitter handle, password and phone number — enough to compromise accounts that don’t use stronger two-factor authentication.

The email is poorly written, confusing (which is intentional) and is scaring people into thinking they can keep their verification badge, by simply visiting a site (Google Docs and now removed) and provide their user name and password.  The first red flag about this email is it is coming from a Gmail address and not address. Second while the new Twitter Blue with verification badge is or may be going to be $19.99 per month, it has not been finalized. Further, Chief Twit wanted the new plan and rate active by November 7th (or else those employees who are responsible for this change would be fired). The whole line about users we can not fully verify makes no sense as everyone would need to ‘reapply’ (pay $20 per month) for verification.

This is a reminder that companies are not going to ask you for your password (especially on a ‘support forum’). Also, as much as many hate it this is a prefect example how users can protect themselves with Two-Factor Authentication. Even if the hackers get your login information they are not going to be able to login with 2FA enabled (unless of course their email password is the same as their Twitter password…)

via Tech Crunch