A little over 18,000 Twitter users looking for a way to get their accounts verified have been duped by a single fake account promising to provide the service into visiting a phishing page.
How many of them actually went through the steps required is unknown, but according to Malwarebytes' Chris Boyd, this wasn't the only account of this kind to be suspended recently, and there are sure to be others popping up.
The account in question successfully impersonated Twitter's official "Verified Account" account. The phishers used the same name and icon but, of course, couldn't get the blue badge with a check mark next to the username. Users who fell for the scheme were first asked to fill out a form with their username, email address, number of followers, the reason why they want their accounts to be verified and, finally, the password for the account. Next they were asked to pay the "verification fee", and in order to do that, they had to share their payment card number, expiration date, CVV code, name, full address, phone number, and an email account to receive the confirmation.
"There’s no way to know how many people completed all of the steps, but there’s potential here for the scammers to have made off with quite the haul of stolen accounts and pilfered payment credentials," says security expert. "Note that the so-called payment page doesn’t have a secured connection either, so if a third party happened to be snooping traffic and you were on an insecure connection there’d now be two people running around with your information instead of just one," says Boyd.
This attempt just goes to show that there is no limit to phishers' creativity - they will always find an angle that will allow them to dupe inexperienced users. In this particular case, the fact that Twitter does not accept applications for verification and that if an account is eligible, they reach out to the user themselves is not a secret, but less tech-savvy users often believe that there is a way around rules and functionalities set up by online services and social networks. Evidence of this can be found in the repeated Facebook scam and phishing attempts offering users a way to see who checks their profile or to change the colour of their account page.
You may create 3 PIN codes in secure messenger SafeUM. The first PIN provides full access to the application and all its features. The second PIN hides secret conversations and confidential data. The third PIN deactivates the account without any possible recovery. This feature is designed for emergency situations and allows you to make sure that no third parties get access to your personal information. How can users ignore such protections? They may not specify the second and third PIN codes.
Passwords...
The Internet is full of such examples. Of course, there are some options that can’t be ignored by careless users:
- it is impossible to make unencrypted audio and video calls in SafeUM;
- hackers won’t get SafeUM users’ encryption keys: the keys are stored on the device only. Our Front-end servers have no hard drives. All information is stored in the servers RAM;
- you will get a notice if someone tries to access your account.
SafeUM team wants to protect your data.
