Crooks are using the July 15th’s cyberattack on Twitter to carry out phishing scam designed to steal the login credentials of unsuspected users.
Twitter for the past year or so has been constantly embroiled in a range of controversies. Earlier this month Indian Prime Minister Modi’s personal yet verified Twitter account was hacked while in July, we saw how 130 accounts of high profile individuals were hacked resulting in attackers siphoning large amounts of cryptocurrencies from innocent users.
The attack took place when hackers accessed Twitter’s internal tool after a successful phone phishing scam against one of its employees.
Although this was taken under control by Twitter through careful action and responsible disclosure as shown below, the attack’s remnants have come back to haunt the social media giant.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
A couple of days ago, First Look Media’s Security Team identified how attackers are using the text from the Twitter team’s response to the incident in order to send phishing emails to individuals and therefore hack them again.
A screenshot shared by researchers shows the text of the latest phishing scam against Twitter users:
As can be seen, the second paragraph of the phishing email is almost identical to the official tweet above. If a user is convinced of its legitimacy and goes forward with the “Confirm your identity” prompt, the attacker will be able to know their login credentials.
As for the technical details, the email has been identified to originate from “support@auth-skjpwafxqua[.]com” at face-value. But, a deeper look reveals that such a domain does not exist with the real address being “xvfrtsws[.]outbound-mail[.]sendgrid[.]net.”
This suggests that a 3rd party service named SendGrid was used instead of attacker owned servers making it much easier to execute such an attack.
This is because not only does SendGrid’s reputation allow such emails to be more evasive of spam filters but it also has in-built features that allow one to “obfuscate links” and see detailed analytics of how their phishing emails in this case are performing.
To put this into perspective for this attack, when the user first clicks on the prompt button, they are directed to “https://u18115378[.]ct[.]sendgrid[.]net/ls/click?upn=[redacted].”
However, then this link points to https://t[.]co/bwqATtdYMw?amp=1 which is surprisingly and as the researchers term it “ironically”, generated using Twitter’s own link shortener.
Finally, the link goes to “https://mobile[.]mobile[.]twittersafes[.]com/login” which leads to the phishing page as shown above.
To conclude, it is important to realize that this isn’t really Twitter’s fault since a phishing campaign can always be conducted completely externally. However, SendGrid and other such email services do need to take action to prevent threat actors from using their platform for such malicious purposes.
Users also need to be on the lookout for such emails. We will continue updating you if the number of users impacted or other details become known in the future.