Scammers are peddling compromised and newly created Twitter Gold accounts, resulting in scams and disinformation.
Cybersecurity researchers at CloudSEK have published a white paper titled “Gold Rush on the Dark Web: Threat Actors Target X (formally Twitter) Gold Accounts,” highlighting the rise in scam campaigns surrounding Twitter’s new tiered verification system, Gold accounts, introduced in December 2022.
As per the company, cybercriminals are actively selling compromised Twitter accounts, specifically leveraging accounts with the platform’s prestigious “Gold” verification badge. Contrary to their intended use, these badges are typically reserved for high-profile individuals and businesses.
These badges, displayed alongside the familiar blue and grey ticks, enhance visibility and provide exclusive features. The cost to obtain a gold verification badge is $1,000 per month in the U.S. Unfortunately, this exclusivity also makes these accounts lucrative and prime targets for cybercriminals.
The paper, authored by Rishika Desai, discusses the unauthorized acquisition of Twitter Gold accounts, risks like phishing and disinformation campaigns, and the need for strong cybersecurity practices.
CloudSEK researchers discovered a rise in sales of Twitter Gold accounts with verification on dark web forums and marketplaces. These ads are traced back to online shops and their marketing partners, with most detected using Google Dork.
In a particular case, a compromised Twitter Gold account had its primary domain set as abc.com. The latest post was published in 2019. Afterwards, in 2022, a new post emerged, creating a clear link to the purchase of gold from cybercriminals occurring after 2019.
The new post directed users to an alternate domain, ‘ABC.XYZ,’ established just two months ago. Investigation into the passive DNS resolution by CloudSEK suggested the account can spread disinformation, phishing websites, job scams, and crypto scams. These accounts can also be redirected to malware or embedded Trojans.
Additionally, researchers discovered accounts with a gold tick mark subscribed, posting links to malicious domains. The price distributions varied based on the type of account, with fresh homegrown accounts costing $0.30, blue tick accounts costing $35, older accounts costing $1.5, and converted accounts costing $1200-$2000. Blue and gold affiliates cost $150 and $500 per account, respectively.
Threat actors offer 15 inactive accounts per week for conversion into gold subscriptions, resulting in over 720 accounts annually, with sales ranging from USD 1200 to USD 2000 and gold badges ranging from USD 1200 to USD 2000.
Upon further digging, researchers identified that the compromise methods in this campaign include brute-forcing passwords and malware, while scam tactics include phishing links and disinformation campaigns. All purchases are made through a middleman, ensuring authenticity.
Sellers can boost followers of purchased accounts for as low as USD 135, and buyers can add multiple affiliates for free but must pay USD 50 per affiliate to indicate the sub-account is part or affiliated with the Prime Gold account.
Threat actors often replace unused accounts with their data, preventing the primary user from recovering. Researchers at CloudSEK collected six Twitter Gold-enabled accounts, with followers ranging from 2000 to over 72,000.
The first advertisement for Twitter Gold accounts was traced back to March 2023. The scam indicates that Twitter Gold services are not yet mature enough to handle such incidents, and cybercriminals can become guarantors of deals, creating a huge reseller market behind compromised accounts.
To minimize the risk of the Twitter Gold Buy scam, organizations should close dormant accounts if inactive for an extended period and train and educate employees on workplace cybersecurity practices. They must update password policies, educate them against cracked software, encourage using native password managers instead of web browsers, and install endpoint security software on employee devices to detect malicious software.