Cybercrooks have increased the number of new or stolen Gold checkmarked accounts from the X/Twitter platform offered for sale; they are a valuable way for threat actors to push links to malware on the social media site through what users will see as a post from a trusted source.
There has been a surge of dark web posts selling accounts with X/Twitter Gold verification., say researchers at Singapore-based CloudSEK. A “strikingly similar series of advertisements” was also seen in channels on the Telegram messaging site, the report adds.
X/Twitter offers users the ability to buy Gold, Blue and Grey tickmarks for a monthly fee, to enhance the credibility of their brands. Grey checkmarks have been set aside for NGOs and government bodies.
Some of the Gold accounts being sold on the dark web are new, allowing a threat actor buying one to change its name to one similar to a brand and impersonate the company or individual. Others once were controlled by individuals or companies but have been taken over by brute-force login attacks.
Prices range from an average of 30 cents for a new account to $2,000 for an aged account converted into Gold (all prices in U.S. currency). Prices go up depending on the number of followers of an existing and stolen account.
The sale on the dark web of Gold accounts has been going on since last March. CloudSEK says the number of shops and service providers today offering them “is humongous.” Most can be detected by running simple Google Dork queries.
The researchers worry that with the increase in availability on the dark web of Gold accounts, a huge wave of phishing or disinformation attacks will soon follow.
Usually buyers have access to an account for 30 days, which is the standard duration of X/Twitter Gold subscriptions.
The damage a stolen or fabricated Gold account can do is tremendous. The report gives as an example the September 2023 takeover of an account of the co-founder of the Ethereum digital currency. The hacker exploited his large following by posting a deceptive message
offering free non-fungible tokens (NFTs) to unsuspecting users. The malicious link embedded in the tweet directed users to a fake website that could drain cryptocurrency from their wallets. Despite being active for about 20 minutes, the hackers managed to siphon off US$691,000 in digital assets before removing the fraudulent post.
The most common targets are X/Twitter accounts of organizations, created before 2022, that have not been used in a while or have been abandoned. Hackers will try to brute force the account, and, if successful, change the recovery email and contact details so the original owner can’t regain control. Then the account is converted to Gold depending on the ask by buyers.
Another tactic of hackers is to gather Twitter-based logins from information stealer malware. These logins are then validated using configs and brute force methods that will provide a positive response for working accounts. Then, on hacker advertising forums and websites, threat actors announce the account for sale, convert it into Twitter Gold, and sell it for as low as US$800.
Organizations can avoid their X/Twitter accounts from being abused by ensuring dormant accounts are closed if they have been inactive for an extended period, the report says. To ensure login credentials aren’t stolen, organizations have to enforce best password protection practices. Monitoring the organization’s feed for signs of X/Twitter hacking, including fake profiles, unauthorized product listings, misleading advertisements, and malicious content is also vital.
