Crypto scammers abuse X 'feature' to impersonate high-profile accounts

The website uses the status ID to determine what post should be loaded from the site's database, not bothering to check if the account name is valid.
This allows you to take an URL for a Tweet and modify the account name to whatever you want, even high-profile accounts.
Clicking on it takes you to a post from Elon Musk, as the ID is associated with one of his tweets.
BleepingComputer previously reported on this feature in 2019, when security researcher Davy Wybiral expressed concerns that the feature could be used for phishing.
At that time, it was not abused in phishing attacks.
Security researcher MalwareHunterTeam has told BleepingComputer that scammers have begun using this redirect mechanism for the past two weeks if not longer, to create URLs that look like they belong to legitimate, well-known organizations.
All of the impersonated organizations seen by BleepingComputer are crypto-related accounts, such as Binance, the Ethereum Foundation, zkSync, and Chainlink.
While the above look like tweets from Binance, Ethereum, and zkSync, they instead redirected to an unrelated X user's tweets promoting crypto scams.
BleepingComputer observed tweets promoting fake crypto giveaways, websites that utilize wallet drainers, and Discord channels promoting pump-and-dumps.
It is possible to filter out some of these tweets by enabling the Quality Filter under Settings > Notifications > Filters.
You run the risk of tweets you wish to see being filtered incorrectly.
Most users should immediately be able to spot a scam tweet by seeing that the account is different than what was in the URL. However, some, like the zkSync URL, may be missed as the scammer created an account with the company in their user name.
Opening these links on mobile can be a bit more confusing, as the app does not show an address bar, and you simply see the post.
For many, it could be perceived that a company like Binance promoted it, making it appear more legitimate.
As this redirect is a standard feature of Twitter, we will likely not see it changed to make it more secure.
That means if you click on an X link, you should take a quick look at your address bar to ensure you are visiting that person's tweet and have not been redirected.
Fraudsters make $50,000 a day by spoofing crypto researchers.
US detains suspects behind $80 million 'pig butchering' scheme.
Ledger dApp supply chain attack steals $600K from crypto wallets.
Ethereum feature abused to steal $60 million from 99K victims.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 20 Dec 2023 20:20:26 +0000


Cyber News related to Crypto scammers abuse X 'feature' to impersonate high-profile accounts