An active phishing campaign primarily focused on compromising high-profile X accounts like those of journalists, political figures, and even an X employee has recently come to light, spotlighting a worrying trend toward cryptocurrency fraud. Uncovered by researchers at SentinelLabs, this campaign is most prolific on the social media platform X, but its effects are felt far beyond this space. The primary objective is to exploit the extensive reach of these influential accounts, including those within technology and cryptocurrency organizations, as well as those with coveted short usernames, to push crypto scams and achieve financial gain.
Once attackers gain control of a high-profile account, they quickly lock out the legitimate owner and start posting fraudulent cryptocurrency offers or links to external phishing sites. These deceptive links often lure additional targets, promising potential rewards tied to cryptocurrency. By capitalizing on themes related to crypto theft, threat actors maximize the potential for financial gains by reaching a broader audience of secondary victims. This practice isn’t entirely new; cybercriminals used a similar tactic during the 2020 celebrity Twitter account breaches, which saw many high-profile accounts compromised to promote crypto scams.
The Mechanics of the Phishing Campaign
Targeting High-Profile Accounts
Researchers have drawn parallels between this newly discovered phishing campaign and another from the previous year that compromised accounts such as the Linus Tech Tips X account. Similar infrastructure and comparable phishing messages were noted in both campaigns, leading to speculation that the same threat actor could be behind both attacks. Despite this, the geographical origin and specific identity of the perpetrators remain elusive.
The phishing lures employed in this campaign are diverse. One of the most common methods involves sending a classic account login notice via email, which informs the recipient that someone has accessed their account from a new device. The email contains a link that purports to secure the account, but it actually leads to a phishing site designed to harvest X credentials. Another popular tactic involves emails with a copyright violation theme, redirecting users to phishing pages requesting their X credentials. In recent cases, phishing pages have even abused Google’s “AMP Cache” domain to appear legitimate to email filters, complicating efforts to detect and counter these attacks.
Infrastructure and Techniques
The campaign’s supporting infrastructure showcases the threat actor’s adaptability and clear financial motivation. Recent activities have utilized domains such as securelogins-x[.]com for sending emails and x-recoverysupport[.]com for hosting phishing pages, indicating a degree of informality in their infrastructure management. Some activities were linked to an IP address associated with a Belize-based VPS service called Dataclub, and several domains were registered through the Turkish hosting provider Turkticaret. Nevertheless, these pieces of evidence do not conclusively establish that the attackers are based in Turkey.
High-profile X accounts present attractive targets due to their substantial reach, effectively amplifying fraudulent activities, particularly cryptocurrency scams. Notable incidents include the security firm Mandiant temporarily losing control of its X account to operators deploying cryptocurrency drainer malware. The lucrative aspect of cryptocurrency provides numerous opportunities for profit and fraud, with recent events blurring the lines between legitimate projects and scams, further complicating the task of distinguishing between genuine and fraudulent activities.
Protecting High-Profile Accounts
Best Practices for Account Security
To mitigate the risks posed by such phishing campaigns, users are advised to follow robust security practices. Good password hygiene is paramount; this includes using strong, unique passwords for each account. Enabling two-factor authentication (2FA) provides an additional layer of security. It is crucial to avoid sharing passwords or other credentials with third-party services. Users should remain cautious of messages containing links to account alerts or security notices, always verifying URLs before clicking. Initiating password resets should be done directly through the official website or app rather than through unsolicited links to maintain security.
Vigilance and Awareness
A recent phishing campaign, primarily targeting high-profile accounts on X such as those of journalists, political figures, and an X employee, has been discovered, highlighting an alarming move toward cryptocurrency fraud. This campaign, revealed by SentinelLabs researchers, is most active on the X platform, but its ramifications extend far beyond. The main aim is to leverage the extensive influence of these notable accounts, including those in technology and cryptocurrency sectors, and those with highly sought-after short usernames, to propagate crypto scams and secure financial profit.
Once attackers seize control of a high-profile account, they immediately lock out the legitimate user and begin posting bogus cryptocurrency opportunities or links to external phishing sites. These misleading links often entice more targets by promising rewards related to cryptocurrency. By exploiting themes around crypto theft, the cybercriminals amplify their chances for financial gain by reaching a wide audience of secondary victims. This tactic bears resemblance to the 2020 celebrity Twitter account breaches, where many prominent accounts were hijacked to promote similar crypto scams.
