A little over 18,000 Twitter users looking for a way to get their accounts verified have been duped by a single fake account promising to provide the service into visiting a phishing page.
How many of them actually went through the steps required is unknown, but according to Malwarebytes' Chris Boyd, this wasn't the only account of this kind to be suspended recently, and there are sure to be others popping up.
The account in question successfully impersonated Twitter's official "Verified Account" account. The phishers used the same name and icon but, of course, couldn't get the blue badge with a check mark next to the username. Users who fell for the scheme were first asked to fill out a form with their username, email address, number of followers, the reason why they want their accounts to be verified and, finally, the password for the account. Next they were asked to pay the "verification fee", and in order to do that, they had to share their payment card number, expiration date, CVV code, name, full address, phone number, and an email account to receive the confirmation.
"There’s no way to know how many people completed all of the steps, but there’s potential here for the scammers to have made off with quite the haul of stolen accounts and pilfered payment credentials," says security expert. "Note that the so-called payment page doesn’t have a secured connection either, so if a third party happened to be snooping traffic and you were on an insecure connection there’d now be two people running around with your information instead of just one," says Boyd.
This attempt just goes to show that there is no limit to phishers' creativity - they will always find an angle that will allow them to dupe inexperienced users. In this particular case, the fact that Twitter does not accept applications for verification and that if an account is eligible, they reach out to the user themselves is not a secret, but less tech-savvy users often believe that there is a way around rules and functionalities set up by online services and social networks. Evidence of this can be found in the repeated Facebook scam and phishing attempts offering users a way to see who checks their profile or to change the colour of their account page.