Cybersecurity researchers have uncovered a campaign that tricks users by displaying trusted domain names in advertisements while redirecting victims to malicious cryptocurrency scam websites. This technique was previously reported by Bleeping Computer in March 2024 with similar cryptocurrency scams spoofing other trusted domains like forbes.com, indicating that threat actors continue to successfully exploit this vulnerability despite its public disclosure. “This attack demonstrates how threat actors continue to find creative ways to abuse legitimate platform features,” noted Silent Push in their report. The most recent instance of this attack was discovered on May 1, 2025, when advertisements for a fictitious “Apple iToken” cryptocurrency began appearing on X/Twitter. Silent Push researchers identified this campaign through their threat monitoring systems and determined that the attack represents a significant evolution in social media-based financial scams. Their investigation revealed that the threat actors behind this campaign have created nearly 90 similar websites dating back to 2024, all featuring almost identical financial lures targeting cryptocurrency investors. The redirect chain ultimately led users to domains like “ipresale.world” and “itokensale.live” that mimicked Apple branding while promoting fictional cryptocurrency presales. The attack leverages a known loophole in X/Twitter’s URL handling system, allowing attackers to display one domain to X/Twitter’s crawlers while sending actual visitors to entirely different destinations. When X/Twitter’s crawler follows this link to generate the preview card for the advertisement, it sees the legitimate domain and displays “From CNN.com” in the ad. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. When users clicked the link, however, they were redirected to cryptocurrency scam websites with elaborate Apple-themed interfaces designed to steal funds. The campaign specifically targets users interested in cryptocurrency investments by impersonating Apple and falsely suggesting the company is launching a new digital token. This creates a complex redirection chain: X/Twitter ad → Bitly shortener → Second X/Twitter URL → Final malicious domain (ipresale.world or similar domains). As detailed in the Silent Push report, the attackers employ a multi-stage redirection technique that effectively circumvents X/Twitter’s verification systems. A sophisticated financial scam has emerged on X/Twitter, exploiting a critical vulnerability in the platform’s advertising display URL feature. The operation’s sophistication is evident in its infrastructure, with researchers identifying 22 different cryptocurrency wallet options for victims to send funds. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 08 May 2025 17:25:11 +0000