Decoy Dog used DNS for C2 and is suspected to be employed in ongoing nation-state cyber-attacks

Read More

Mandiant said the compromise resulted from a sophisticated spear-phishing campaign

Read More

FortiGuard Labs described the vulnerabilities in an advisory published on Monday

Read More

Authored by: Vallabh Chole and Yerko Grbic

On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as “X”. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms. 

Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to “twitter-x” and “twitter fund” to promote scam links with new X branding. 

Figure 1. Twitter-X-themed YouTube Live Stream by scammer 

Figure 2. Twitter X Crypto Scam 

This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealing malware as email attachments. When password stealer malware is executed, the influencer’s session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems. 

Figure 3. Malware Flow Chart  

After the influencer’s account has been compromised, the scammer starts to rename channels, in this case to “Twitter CEO” and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as “Thanks Mr.Elon”. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.

Protection with McAfee+: 

 McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.

Figure 4. McAfee WebAdvisor detection 

Below is a detection heatmap for scam URL’s targeting twitter-x and promoting crypto scams.   

Figure 5. Scam URL Detection Heatmap 

Figure 6. Password stealer Heatmap 

Indicators of Compromise: 

Scam Site  
Crypto Type  
Wallet  
 

twitter-x[.]org 
ETH  
0xB1706fc3671115432eC9a997F802aC79CD7f378a 
 

twitter-x[.]org 
BTC  
1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsug 
 

twitter-x[.]org 
USDT  
0xB1706fc3671115432eC9a997F802aC79CD7f378a 
 

twitter-x[.]org 
DOGE  
DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9J 
 

The post Scammers Follow the Rebranding of Twitter to X, to Distribute Malware appeared first on McAfee Blog.

Read More