Photo credit: www.darkreading.com
An active phishing campaign is currently targeting high-profile X accounts belonging to prominent figures, including journalists, politicians, and even employees of X, in an effort to hijack these accounts for cryptocurrency fraud.
SentinelLabs, who uncovered this disturbing trend, pointed out that while X is the primary focus, the campaign is not limited to a single platform. Their recent blog post discusses the campaign’s methods and motivations. The attackers aim to exploit the substantial reach of these influential accounts which also include tech and cryptocurrency organizations and accounts with highly sought-after short usernames, ultimately to lure individuals into cryptocurrency scams for financial benefit.
“Once an account is compromised, the attackers quickly lock out the rightful owner and start posting fraudulent cryptocurrency offers or links to external sites meant to entice additional victims, often with a theme related to crypto theft,” stated SentinelLabs researchers Tom Hegel, Jim Walter, and Alex Delamotte.
This strategy of compromising well-known accounts—similar to tactics previously observed in the notorious 2020 Twitter hacks of celebrity accounts—allows fraudsters to cast a wider net, significantly enhancing their potential financial returns.
This recent campaign bears resemblance to a similar phishing initiative identified last year, which affected the Linux Tech Tips X account along with other notable users. The interconnected infrastructure and overlapping phishing messages indicate a common threat actor may be responsible for both incidents, although neither the origin nor the identity of the attackers is currently known.
Classic Fake Crypto Lures & Adaptable Infrastructure
SentinelLabs has observed various phishing tactics employed during this campaign, including a common “account login notice” that alerts users via email about a login from an unfamiliar device. This email contains a link that misleadingly invites users to “take steps to protect” their account, redirecting them to a site designed to harvest X credentials.
Additional phishing attempts utilize themes related to copyright violations, luring users into clicking links that direct them to phishing sites requesting their X credentials. Recently, such phishing pages exploited Google’s “AMP Cache,” specifically cdn.ampproject[.]org, to evade standard email filtering systems.
Researchers noted that the infrastructure employed in this campaign reflects a highly adaptable actor, continuously developing new methods while consistently aiming for financial gain. Recent activities were traced back to the domain securelogins-x[.]com for email delivery and x-recoverysupport[.]com for hosting phishing pages. This flexibility denotes an informal and adaptable approach to their operations.
Moreover, some of this activity has been linked to an IP associated with a Belize-based virtual private server company named Dataclub. Although the domains used in this campaign were primarily registered through a Turkish hosting provider, Turkticaret, this in itself does not definitively indicate the attackers’ geographical location.
Protect Your Corporate Social Accounts
High-profile X accounts attract cybercriminal attention primarily due to their ability to reach vast audiences, making them effective tools for spreading fraudulent schemes. A notable incident involved security firm Mandiant, which temporarily lost control of its X account to operators of cryptocurrency drainer malware last year.
Researchers highlighted that the crypto sector presents various opportunities for financially motivated threats, allowing for diverse avenues of fraud. “The crypto landscape has long been a mix of irreverence and meme culture, but recent changes have significantly blurred the lines between legitimate projects and scams,” they explained.
To safeguard their X accounts, users are advised to uphold stringent password management practices. This includes maintaining unique passwords, activating two-factor authentication (2FA), and refraining from sharing credentials with third-party applications.
Individuals should remain cautious of unsolicited messages with links pointing to account security alerts or notifications, always verifying URLs prior to clicking them. If password resets are necessary for security reasons, it is crucial that these actions are performed exclusively through the official website or app, rather than through unverified links.
Source
www.darkreading.com