Twitter’s verification chaos is now a cybersecurity problem • TechCrunch


Cybercriminals are already taking advantage of Twitter’s constant verification chaos by sending out phishing emails designed to steal passwords from unintended users.

phishing email campaign, Viewed by TechCrunchattempts to lure Twitter users to post their username and password on the attacker’s website disguised as a Twitter help form.

The email is sent from a Gmail account, with links to a Google Doc with another link to a Google site, which allows users to host web content. This potentially creates several layers of confusion to make it more difficult for Google to detect abuse of its automatic scanning tools. But the page itself contains an embedded framework from another site, hosted on the Russian web host Beget, that asks for your Twitter username, password, and phone number — enough to settle accounts that Don’t use stronger two-factor authentication.

Google removed the phishing site shortly after TechCrunch alerted the company. “Confirmation that the relevant links and accounts have been removed due to violations of our program policies,” a Google spokesperson told TechCrunch.

Screenshot of the phishing email designed to steal Twitter users’ credentials. Image credits: Tech Crunch.

The campaign appears rudimentary in nature, likely because it was quickly put together to take advantage of recent news that Twitter will soon bill users monthly for premium features, Including verificationas well as the possibility of being reported Take Verified Badges For Twitter users who don’t pay.

At the time of writing, Twitter has yet to make a public decision about the future of its verification program, which was launched in 2009 to validate certain Twitter accounts, such as public figures, celebrities and governments. But it clearly hasn’t stopped cybercriminals – even the less skilled – from taking advantage of Twitter’s lack of clear information since then. become private This week after Elon Musk’s shutdown $44 billion acquisition.

TechCrunch also alerted Beget to phishing pages, which subsequently pulled the offending domain from operation. A Twitter spokesperson declined to comment.

Leave A Reply

Your email address will not be published.