phishing - Edwind Richzendy Contreras Soto - Flickr
phishing - Edwind Richzendy Contreras Soto - Flickr

Criminals are using the promise of verified accounts on social media to lure users into a credit card phishing scheme.

According to research by Proofpoint, attackers are placing legitimate ads targeting brand managers and influencers with a link to a phishing site purporting to offer account verification. Usually, account verification on social networks such as Twitter, involves multiple verification steps for "accounts of public interest".

The IT security firm said that the promise of a quick verification process is attractive, especially to smaller businesses that potentially lack the resources to meet Twitter's requirements for account verification.

“The ads themselves come from an account that mimics the official Twitter support account, @support. The fraudulent account, @SupportForAll6, uses Twitter branding, logos, colors, etc, to increase the sense of authenticity, despite a very low number of followers and a suspect name,” said Oisin Patenall, social media security analyst at Proofpoint.

He said that a key element of this scam is the use of Twitter-sponsored advertisements, which appear in user feeds without any interaction, need to follow, or direct messaging requirement. After clicking the link, users find themselves taken to a domain titled twitterhelp[.]info.

“The domain name should be a red flag, but otherwise appears legitimate. The page itself also mimics Twitter with color schemes and wording matching that of the official site,” said Patenall.

He said this domain was registered in December and the URL resolves to an IP address previously used for phishing activities. When victims follow the process, a new form appears asking for a variety of personal information including the Twitter username, email address, phone number and, most importantly, the account password.

After a user provides this information, they are met with another form asking for a credit card number and security code for “verification purposes”. The form states that the user will not be charged for this process but the form includes a template for extracting payment information lifted from Github.

“While there is no validation on the form asking for account information, allowing users to submit empty values, this is not the case with the financial information; this cannot be submitted without providing the requested credit card information,” he said.

He added that while the scheme is not especially sophisticated technically, it is an excellent example of how attackers are combining traditional phishing methods, social engineering, and social impersonation to ultimately make money in new ways. 

“While we observed this attack on Twitter, such a scam could be run on any social media platform that implements some form of account verification,” said Patenall.

Gemma Moore, director and penetration tester at Cyberis, told SC Media UK that it is very difficult for the masqueraded organisations to prevent the use of their branding and plausible-sounding domains for attacks of this type.

“Each domain registrar has its own rules about who and in what circumstances domains can be registered, but generally it's not practical for domain registrars to determine which registrations are for legitimate purposes and which may be nefarious,” she said.

She added that the weak link in all social engineering attacks of this nature is the user. 

“The attack profiled by Proofpoint is fairly typical of the more advanced social engineering efforts that are in evidence these days: the delivery mechanism looks legitimate, the ‘hook' uses the correct branding of the target organisation and the bait is very plausible,” Moore added.

David Kennerley, director of Threat Research at Webroot, told SC that fake ads are an industry-wide issue, not just associated to Twitter, whether the rogue ads are for phishing purposes or exploit kit drive-by. “From a security perspective, employee education is again vital and from a technical side, ad-blocking software is now a must.”