Posts: 8,495 +105
In brief: If there's one thing hackers like to exploit, it's the latest headlines. Following news that Elon Musk plans to charge $20 per month for Twitter's blue-tick verification status, cybercriminals are sending out phishing emails that claim to be part of the new process.
Musk recently announced that as the new Twitter owner, one of his first tasks is revamping the verification process. According to reports, this will involve making Twitter Blue—the optional $4.99 per month subscription that gives users extra features—more expensive, but it will also verify subs. Those already verified will be given 90 days to subscribe or lose their verified status.
The world's richest man has reportedly given Twitter engineers working on the project until November 7 to launch it. If this deadline isn't met, the employees will be fired.
Some scammers are already trying to take advantage of the change by sending phishing emails to verified users claiming they won't have to pay for their blue check mark by confirming they are a "well-known" person.
Twitter's ongoing verification chaos is now a cybersecurity problem. It looks like some people (including in our newsroom) are getting crude phishing emails trying to trick people into turning over their Twitter credentials. pic.twitter.com/Nig4nhoXWF— Zack Whittaker (@zackwhittaker) October 31, 2022
There are plenty of giveaways in the email that expose it as a phishing scam. In addition to the unprofessional wording and style, it comes from a Twittercontactcenter@gmail address rather than an official Twitter domain. Still, there will doubtlessly be some people taken in by it.
TechCrunch writes that clicking the "Provide Information" button takes people to a Google Docs page, which should be another red flag. It contains a link to a Google site, which lets users host web content—it's likely designed to try and avoid Google's phishing detection tools. This page contains an embedded frame from another site where users are asked to submit their account username, password, and phone number.
Even if someone has two-factor authentication enabled and avoids having their account compromised, they've still given away personal data, including a password that they might be reusing on other sites.
Google took down the phishing site after TechCrunch alerted them to it. But expect to see more scams of this type as Musk continues implementing changes at Twitter.