Black Market for Blue Checks
Black Market for Blue Checks
On August 15, a dangerous email arrived in the inbox of Diana Pearl, a New York-based news editor. Someone in Moscow had logged into his verified Twitter account. Pearl was familiar with the subject of the email content because it was similar to previous automated correspondence from Twitter – consisting of a minimal white background, black text and blue links.
Fearing the security of his account, Pearl clicked on the link inside the email, which would reportedly let him secure his account immediately, and entered his existing password on the following webpage to update it.
Moments later, a message arrived in a Telegram group. It only contained a screenshot and a link to Pearl's Twitter profile. Three hours later, the admin wrote, "Sold out."
Pearl was the victim of a fishing attack. The email was not from Twitter but from a hacker who copied the look of the official Twitter message. Pearl was out when the email arrived and assumed she couldn't wait until she got home to read it on her computer. Also, the immediate tone of the email prompted Pearl to respond without confirming its details. If she was, she'd pay attention to that messed up email address or the fact that the link didn't go to the official Twitter URL.
Pearl's account was simply a huge and highly lucrative black market sale for a verified Twitter handle. In this particular Telegram group, control of a verified account is usually worth a few hundred dollars, which buyers usually hope to get back by promoting an NFT scam. Such thefts happen regularly, with dozens losing their profiles every day if the frequency of new listings on marketplaces for verified profiles is any evidence. And despite years of evidence, platforms seem powerless to stop ongoing trading.
When The Atlantic writer Jacob Stern's account was compromised earlier this year, it was used to trick Moonbirds NFT owners into transferring their tokens to a hacker's wallet. Within hours, the hackers sent out hundreds of tweets with phishing links announcing a new “drop,” prompting buyers to transfer amounts of cryptocurrency in exchange for fake NFTs or none at all. MPR News reporter Dana Ferguson's profile was similarly rebranded in August - except for the username, which would have revoked the verification badge for stealing KillaBears NFTs. Both agreements are linked to the same Telegram group where the accounts were listed for sale.
Some hackers also involve small NFT actors in scams. When California-based author Marisa Wenzke was hacked, her account sparked a promotional campaign for the group behind the NFT collection called "Meta Battlebots" – a genuine NFT art project with no apparent affiliated scam. When informed that they were being promoted by the hacked account, the official Meta Battlebots Twitter account replied, "No worries on that." A moment later, he blocked the reporter's account, ending the conversation.
Dipanjan Das, a security researcher at UC Santa Barbara who conducted a detailed study on NFT fraud, says that a verification badge adds a seal of authenticity, and that a scammer with a verified Twitter profile can attract a lot of attention and The effect may be greater. could. And by targeting the multi-billion dollar NFT ecosystem, both hackers and buyers or scammers could recoup their costs in a few tweets before account owners begin the recovery process.
“In a simple NFT scam, it is very easy for scammers to make hundreds of thousands of dollars,” Haseeb Awan, founder and CEO of secure mobile service provider Afani, told The Verge. "Even if one in 10 attempts succeeds, that's a lot of money."
Previously, blue-check Twitter piracy was both rare and coordinated – largely traded on swaps and marketplaces such as Oghu.g. However, due to the increasing demand for verified accounts for NFT promotions and scams, hackers have resorted to more accessible channels such as Telegram to reach a wider audience. And the way hackers break into it, it's easier than you think.
Most of the hackers behind the blue-check Twitter theft rely on an attack called "credential stuffing," according to conversations The Verge had with several current and former hackers who requested anonymity for fear of pushback in the security community.
In a credential stuffing attack, hackers begin with a vast leaked database of username and password combinations—which are no longer hard to come by courtesy of the rise of massive breaches. Intruders lure usernames and passwords from matching credentials to Twitter's login forms and apply successful hits to sell in their groups.
No comments