Scammers Follow the Rebranding of Twitter to X, to Distribute Malware

Read Time:2 Minute, 9 Second

Authored by: Vallabh Chole and Yerko Grbic

On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as “X”. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms.

Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to “twitter-x” and “twitter fund” to promote scam links with new X branding.

Figure 1. Twitter-X-themed YouTube Live Stream by scammer

Figure 2. Twitter X Crypto Scam

This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealing malware as email attachments. When password stealer malware is executed, the influencer’s session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems.

Figure 3. Malware Flow Chart

After the influencer’s account has been compromised, the scammer starts to rename channels, in this case to “Twitter CEO” and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as “Thanks Mr.Elon”. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.

Protection with McAfee+:

McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.

Figure 4. McAfee WebAdvisor detection

Below is a detection heatmap for scam URL’s targeting twitter-x and promoting crypto scams.

Figure 5. Scam URL Detection Heatmap

Figure 6. Password stealer Heatmap

Indicators of Compromise:

Scam Site 
Crypto Type 
Wallet 

twitter-x[.]org
ETH 
0xB1706fc3671115432eC9a997F802aC79CD7f378a

twitter-x[.]org
BTC 
1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsug

twitter-x[.]org
USDT 
0xB1706fc3671115432eC9a997F802aC79CD7f378a

twitter-x[.]org
DOGE 
DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9J

The post Scammers Follow the Rebranding of Twitter to X, to Distribute Malware appeared first on McAfee Blog.

Friday Squid Blogging: Anniversary Post

US Sanctions Chinese Cybersecurity Firm for Global Botnet Attacks

Atos Group Denies Space Bears’ Ransomware Attack Claims

ShredOS

Crypto Boss Extradited to Face $40bn Fraud Charges

DDoS Disrupts Japanese Mobile Giant Docomo

Web3 Attacks Result in $2.3Bn in Cryptocurrency Losses

Apple Agrees $95M Settlement Over Siri Privacy Violations

US Confirms Russian GenAI Disinformation Op Targeted Election