A number of high profile, verified Twitter accounts including retail giant Target and The Body Shop were hacked in what appears to be a coordinated campaign to promote yet another iteration of the now-ubiquitous crypto giveaway scam. A series of tweets by verified Twitter handles endorsing the bitcoin giveaway scam were highlighted by a number of social media users, as cybercriminals behind the long-running scam launch the latest effort to take advantage of less savvy Twitter users.
Target acknowledged the scam after regaining control of its account and deleting the unauthorized tweets.
Early this morning, our Twitter account was inappropriately accessed. The access lasted for approx. half an hour & one fake tweet was posted during that time about a bitcoin scam. We have regained control of the account, are in close contact with Twitter & are investigating now.
— Target⁷ (@Target) November 13, 2018
A New Twist on an Old Scam
Screenshots taken before the tweets were taken down show that a promoted tweet from the official Target account announced a giveaway of 5,000 BTC to the account’s followers.
Like so many other similar scam messages posted in the past, it was written in poor English with a distinct lack of adverbs and pronouns, indicating that the hackers are not native English speakers. The key difference with this iteration of the scam is that a substantial number of verified Twitter handles were enlisted to respond to the tweet and give it a measure of legitimacy by extension.
To this end, more than five verified, high profile accounts including those belonging to the Toledo Rockets, The Body Shop, Universal Music Czech Republic, the Agriculture and Horticulture Development Board (AHDB), and even the UNHCR Serbia account were compromised and could be seen posting responses to the scam tweet in the customary faux-enthusiastic manner employed by the ubiquitous Twitter scam botnet.
— Real Clear Paki (@RealClearPaki) November 13, 2018
It remains unclear how the hackers were able to compromise so many verified accounts at once, with prior examples of such hacks only succeeding in taking down one or two at a time. Previous attempts at hijacking high profile Twitter accounts have mostly revolved around cloning the accounts and not directly attacking and taking them over.
Amidst the confusion generated by the tweet and the verified accounts responding to it, hackers also compromised the Cap Gemini Australia Twitter account, replacing the global consulting firm’s name with “Elon Musk” and posting a similar message advertising a purported crypto giveaway from the Tesla founder.
Using a crude mix of semi-factual information (Musk is indeed stepping aside, but as chairman of Tesla, not “Director”) and psychology that connects a prominent name to Twitter’s verification tick, the cybercriminals hope to isolate the most gullible marks who are more likely to fall victim to the scam, when in actual fact it may seem transparently obvious to more savvy users. This strategy has previously been explained as a tactic used by email scammers to thin out the field by removing false positive targets and isolating those who are least likely to carry out basic due diligence.