Fake Security Notifications Impersonates Twitter in Attempt to Steal Login Credentials
Threat actors are using fake Twitter security notifications in an attempt to steal login credentials. The attack is targeted and focused on highly valuable Twitter accounts. Links in the phishing emails contain links to steal user login credentials, says a report by cyber security researchers at Abnormal Security.
This phishing email masquerades as an automated security notification from Twitter. It instills a sense in the target making them think their account is in jeopardy. They are convinced they must act immediately (without thinking) of urgency to protect account security. The phishing email contains a credential phishing link that redirects the user twice – eventually to a fake Twitter branded web page. The email body even has a section giving advice on how to tell if a notification is authentic.
Typically threat actors try to disguise malicious emails with messaging and logos taken from the real sites they are trying to impersonate. Often it can be very difficult to tell an authentic security notification from a fake version. Links in phishing emails are usually disguised with link shorteners to hide the true destination web page from the reader. Link shorteners can also help a phishing email get past spam filters
Phishing for corporate social media account is up 60 percent in the past two months. Instagram, Facebook, and Twitter have all been used to target corporate social media accounts that are valuable to brands and businesses. One way to help detect a phishing email is to look very, very closely at the sender’s email address. It may be sent from an email that is using a domain name that is incredibly close to a real website or social media channel. Sometimes is very difficult to see minor differences in email sender names. For example, the letter “i” in Twitter was replaced with a lower-case “L. – in a domain name so the hacker could send emails using the address of “Twltter” rather than the legitimate “Twitter in a previous attack”
“This attack is highly sophisticated and unique as it targets a specific individual in this organization. This type of attack has not been seen anywhere else, and the domain of the payload link was not flagged as malicious by many search engines,” says Abnormal Security.
In this cyber attack, hackers send the recipient a phishing email warning the target that there was an unauthorized login to their Twitter account. The messaging in the email tells the recipient they must click on the link in the email to login and protect their account. Links in phishing emails, malicious web pages, and on social media con be hidden in a number of ways. Images, URLs, and text can all be used to disguise harmful links.
This phishing email s especially crafty because the link is is disguised with text and redirects the reader twice. The body of the email is audacious enough to advise the reader on how to detect a fake email. It was also targeted at a specific individual.
“By impersonating a security notification email, the attacker gains a sense of credibility to the user because, by notifying the recipient of a case of a “bad” login, the recipient believes the email to be “good”. The section of the email “How do I know an email is from Twitter?” is crafted by the attacker in an attempt to legitimize this attack to further fool the target,” says Abnormal Security
Like many malicious websites and spoof web pages, the notification emails use Twitter branding to trick the recipient into thinking the email is legitimate. Read our guide on how to spot a phishing email.