As Twitter announces plans to charge users $8 a month for Twitter Blue and account verification under Elon Musk’s management, researchers have come across multiple phishing emails targeting verified users. Earlier this week, Elon Musk appointed himself as Twitter’s CEO and announced plans to revamp Twitter’s verification process. As a part of this review, Twitter initially proposed to start charging verified users a $20 monthly fee. Later, Musk stated the fee would be dropped to $8. Other than receiving a blue tick following successful verification, paid users are expected to get “priority in replies, mentions & search,” fewer ads, and will be able to post longer multimedia content. Following Musk’s tweets, researchers observed newer phishing campaigns emerging with threat actors now targeting verified accounts. Like many phishing emails, these emails convey a false sense of urgency, urging the user to sign-in to their Twitter account or risk “suspension.” Research has revealed these emails were originating from servers of hacked websites and blogs that may be, for example, hosting dated WordPress versions or running unpatched, vulnerable plugins. Clicking on the link takes the user to the phishing webpage where threat actors misuse the $8 monthly fee announcement from Musk’s tweets. The phishing workflow collects the user’s Twitter username, password, and proceeds to send them a two-factor authentication code via SMS.
Standard phishing defense tactics apply in this situation. Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag. It is also important to check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.