Phishing campaign targets X accounts for crypto scams

Today

Researchers at SentinelLabs have identified an active phishing campaign targeting high-profile X accounts, aiming to hijack and exploit them for cryptocurrency scams.

This phishing campaign has been found to target a range of individuals and organisations, including U.S. political figures, leading international journalists, an employee at X, large technology firms, cryptocurrency organisations, and owners of valuable, short usernames. "SentinelLabs' analysis links this activity to a similar operation from last year that successfully compromised multiple accounts to spread scam content with financial objectives", according to the research team.

The campaign currently emphasises accounts on the X/Twitter platform. However, the actor involved is not confined to a single social platform and is seen extending their focus to other popular services with consistent financial objectives.

Account compromise occurs when victims are lured by phishing tactics, as described by SentinelLabs. "Thanks to tips from targets and collaboration with industry partners, SentinelLabs has observed a variety of phishing lures tied to this campaign over the past few weeks," researchers said. Classic account login notice phishing, as well as messages themed around copyright violations, are some of the tactics used.

There is also noted abuse of Google's "AMP Cache" domain cdn.ampproject[.]org to bypass email detection systems, ultimately redirecting victims to a phishing domain that masquerades as a legitimate site seeking X account credentials. In cases involving a 'copyright infringement' lure, users encounter a fake Action Needed page followed by requests to input credentials on a false copyright infringement page.

Once an account is compromised, the attacker immediately locks out the authentic owner and starts posting fraudulent cryptocurrency opportunities or links to external websites designed to entice further victims, often centred around cryptocurrency theft themes. This method of commandeering high-profile accounts allows the perpetrators to potentially reach a wider audience, increasing their financial yields.

According to SentinelLabs, the attackers are highly adaptable, "continuously exploring new techniques while maintaining a clear financial motive". Although targeting is specific, tactics can vary opportunistically. Notable past reports have identified similar activity linked to Turkish-speaking actors based on the language utilised in phishing pages. However, this current campaign has not yet been attributed to any specific country or widely-trackable threat actor.

SentinelLabs concludes that "the cryptocurrency scam landscape continues to evolve, becoming increasingly difficult to navigate as crypto's popularity grows". This dynamic scenario blurs lines between legitimate projects and scams, as evidenced earlier this year when the X account of the late John McAfee was used to promote a new coin, $AIntivirus, using marketing tactics resembling known scams.

SentinelLabs advises users to secure their X accounts by creating unique passwords, enabling two-factor authentication (2FA), and refraining from sharing credentials with third-party services. There is a caution against interacting with links in unsolicited messages, with a recommendation to verify URLs and rely on official websites or applications for password resets.

Share on: