After Twitter rolled out its $8 Blue subscription service last week, chaos quickly ensued as impersonated accounts flooded the platform, and multinational companies like defense contractor Lockheed Martin and pharmaceutical giant Eli Lilly lost billions of dollars in stock value after their accounts were impersonated.
While some may wonder how all these fake accounts were ready right after the new feature was launched, new research by Cybersixgill reveals that nearly all the ingredients required to build fake Twitter accounts have been easily available on the dark web "for quite some time."
According to Dov Lerner, head of threat intelligence at Cybersixgill, scammers mainly build up fake accounts through account amplification and account takeover. Twitter users can purchase bots on the dark web to inflate their followers and activities, while using a variety of dark web tools and services to compromise Twitter accounts.
Though most social media platforms have this problem, Lerner told SC Media that Twitter faces more threats than others — such as LinkedIn and Facebook — due to its nature as a "public microblog."
"Social networks like Facebook and LinkedIn were designed with the idea that one's account is tied to their name and the purpose is to connect with one's greater social circle. Twitter, however, is by design intended to share thoughts and ideas publicly. Thus, while I consider a Facebook friend request from someone that I don't know to be weird, it is normal to interact with a stranger on Twitter. This makes things easier for scammers," Lerner said.
"Also, Twitter's API is much more open, enabling users to perform Twitter activities in external applications. Facebook, in contrast, is more limited. The differences in how these platforms interact with external applications might make it easier for attackers to create bots for Twitter," he added.
According to the report, Twitter bots interact with the platform to perform large-scale automated account amplification. For example, a bot sold for $100 is advised to perform follows, likes, and retweets automatically. The bot buyer will also receive the source code, which allows them to tinker with it accordingly. Lerner found a post where a buyer wanted to purchase "one million high quality Twitter followers" and received several responses.
For buyers who do not want to grow their accounts, many would buy accounts that have already been cultivated.
These accounts could have been compromised in several ways, and one is through credential stuffing. According to Sherrod DeGrippo, VP of threat research and detection at Proofpoint, there has been a notable increase in Twitter-related phishing campaigns that attempt to steal Twitter credentials after the company made multiple changes, including introduction of the paid verified feature, to the platform.
"The Twitter user base is becoming accustomed to not understanding the new changes to the product as [new features] roll out quickly without full testing. And this creates a mindset perfect for social engineering," DeGrippo explained to SC Media.
Besides credential stuffing, the Cybersixgil research highlights that many Twitter accounts could also have been compromised through endpoints on access markets, which sell information stolen from infected machines.
“Out of over 2,146,000 compromised machines sold on access markets over the last year, a whopping 435,000 (20.3%) included access to a twitter account,” the report notes.
Under Elon Musk's new leadership, Twitter has faced a slew of security challenges amid concern over the company's ability to tackle impostors, misinformation, and data privacy.
Twitter paused its $8 subscription program last Friday in response to the spate of impersonators. Twitter Support tweeted the same day that the team added an “Official” label to some accounts to combat the threat actors.