A new phishing campaign analyzed by the security provider Abnormal Security shows how the attackers are taking advantage of Twitter users to steal account credentials.
Described in a recent blog post from Abnormal Security, this attack was aimed toward a specific person who works at an organization that heavily uses Twitter. The goal was to alarm this individual with an urgent security notification in an attempt to obtain their Twitter password.
Using the Twitter brand name and logo, the initial email itself impersonated a Twitter security alert by claiming that the recipient’s account was used to log into a different device in a different location, specifically a Windows 7 computer in Canada.
The email states that if this login came from the recipient, there’s no need to take any action. But the attackers likely realized that the device or location would raise a red flag. In that event, the user was urged to click a link to confirm their account.
The link itself is obfuscated with text and leads to a couple of redirects if clicked. The first redirect goes to a site hosted on a dynamic DNS service, while the second redirect takes the user to a recently registered anonymous domain masquerading as the Twitter landing page. Both the domain and landing page contain the Twitter brand name. Of course, if the recipient takes the bait, their Twitter credentials fall into the hands of the attackers who will use them to compromise the person’s account.
This type of attack is designed to succeed on a few levels. First, the security notification tries to convince the recipient that there’s been malicious activity on their Twitter account. The attackers are gambling on a sense of fear to prompt the user into taking quick action. Second, the link is concealed with text, so the recipient is more likely to click on it without realizing that it takes them to a phony login page.
Third, the email contains a section called “How do I know an email is from Twitter?” to lend even greater legitimacy to itself. Fourth, both the email and fake landing page look like they would come from Twitter with the familiar brand name and logo. Finally, the attack is highly targeted. Abnormal Security discovered it deployed against a specific person, thereby avoiding a mass or bulk phishing campaign that might otherwise be blocked by a security gateway.