Twitter plans to verify more users by charging them a monthly fee, attracting hackers who started phishing campaigns.
Hackers are already capitalizing on the proposal that Twitter will monetize verifying users with a blue check mark since it has become a status symbol.
Several media outlets including TechCrunch, NBC News and Reuters received phishing emails on Oct. 31 in attempt to lure people into the scam.
Twitter’s Blue Check Mark
Billionaire Elon Musk, who has taken control of the company in a $44 billion deal, proposed that Twitter users pay to be verified in an attempt to generate revenue for the social media company.
The service, which uses small blue badges that have a checkmark indicate that a person’s or brand’s account is genuine and has always been free.
The proposal has been met with extreme backlash from users who do not want to pay the $20 proposed amount of any amount for posting tweets or creating content.
One user, Deke Sharon, tweeted “I will not pay $20 a month just so that people can see a blue check by my name. I thought the point was & is to verify identity.”
Even novelist Stephen King chimed in with his refusal to pay for verification, stating “$20 a month to keep my blue check? F— that, they should pay me. If that gets instituted, I’m gone like Enron.”
Musk, who is also CEO of Tesla and runs Space X, the rocket company, replied to the famous writer, by tweeting “We need to pay the bills somehow! Twitter cannot rely entirely on advertisers. How about $8?”
The blue badges are expected to be part of the paid features starting next week. Subscribers will have to pay to receive them.
The blue check mark was originally given to people, especially well-known actors, journalists and celebrities such as athletes to avoid impersonators.
Hackers Use Phishing Emails
Several phishing emails were sent to lure people into paying for the service now, including reporters and experts who report or work in the cybersecurity industry.
Zach Whittaker, security editor of media publication TechCrunch, reported about the phishing emails, which appear to be from a legitimate person or company, but are used by cyber criminals to obtain personal information or credit card numbers.
“Twitter’s ongoing verification chaos is now a cybersecurity problem,” he tweeted. “It looks like some people (including in our newsroom) are getting crude phishing emails trying to trick people into turning over their Twitter credentials.”
The phishing emails sent to the media are obvious because they send people to a Google Doc and a link to a Google Site. The email itself comes from a free Gmail account, Whittaker said.
“Phishing emails are sent from a Gmail account and point to a Google Doc with a link to a Google Site,” he tweeted. “Yes, incredibly crude, but looks like this. Clearly capitalizing on the uncertainty around Twitter verification. I forwarded details to Google to review/take down.”
In response to TechCrunch’s message, Google took down the phishing pages, “citing violations of its terms of service,” Whittaker tweeted. “A Google spokesperson told me: “Confirming we have taken down the links and accounts in question for violations of our program policies.”
Kevin Collier, a reporter at NBC News who reports about cybers, disinfo, privacy, policy and elections, tweeted that he had received the same phishing emails asking for $19.99 to maintain his blue check mark.
“Bravo to some hacker for the timely phishing lure, which apparently slipped right by Outlook’s robust protections,” he tweeted. “Twittercontactcenter@gmail is a bit of a giveaway, though. Didn’t get me but I bet this gets somebody.”
Chris Bing, who covers digital espionage for wire service Reuters, said he had also received several phishing emails.
Hackers are always looking for opportunities to steal identities and also make money and social media attacks leveraging platforms like Twitter and LinkedIn are becoming increasingly popular, Mika Aalto, CEO at Hoxhunt, a Helsinki-based provider of enterprise security awareness solutions, told TheStreet.
“Large organizations put large amounts of resources into creating well known and trusted brands,” he said. “Malicious actors see this as a great opportunity, weaponizing the trust and feeling of legitimacy tied to these logos.”
Since the Twitter verified status badge has become a status symbol, malicious actors “leverage emotions such as greed, urgency, and fear to provoke a careless reaction,” Hoxhunt said.
The data that is obtained and harvested in an attack like this is valuable, but it poses as a problem for the individual and even for their employer because of the potential for being compromised, he said.
Consumers can protect themselves from social media-themed phishing attacks by developing a sense of cyber street smarts, Hoxhunt said.
“If something seems fishy, like poor wording within a threatening message like this, just take your time and look at the sender address,” he said. “If it’s from a free mail account like gmail or hotmail, it is a phishing attack.”
Even cybersecurity experts received phishing emails.
Casey Ellis, CTO at Bugcrowd, a San Francisco-based leader in crowdsourced cybersecurity, told TheStreet he has been getting “spearphished by credential theft spam posing as a verified user change since last Friday. Attackers capitalize on high profile, chaotic events and changes to drive pretext for lures likes this. This campaign is a reminder that it doesn’t need to be a hurricane, a pandemic, or other kind of calamity to trigger this kind of attacker behavior.”
Using multi-factor authentication can help avoid phishing or spear phishing, which is sending emails from a known sender like a company or organization and people should “think twice, click once” to help mitigate falling for hacking attempts, he said.