Life

There’s A Twitter Verification Phishing Scam Going Around — And It’s SUPER Hard To Spot

Jan. 9, 2018

If you happened to see a Promoted Tweet on your Twitter timeline over the weekend purporting to help you get verified on the social media platform, I really, really hope you didn’t click the link included in it — because it was actually a Twitter verification scam. The links included in those Promoted Tweets took users to phishing websites, encouraging them to give up valuable information ranging from passwords to credit card numbers and billing information. The good news is that the danger is over for now; the bad news, however, is that this likely isn’t the last time we’ll see a scam like this making the rounds. (When reached for comment, a spokesperson for Twitter told Bustle that the company doesn’t comment on individual accounts for privacy and security reasons; however, the company is aware that groups exist who aim to misrepresent the verification process and are actively working to curb the issue.)

The scam took the form of Promoted Tweets coming from at least two different accounts, which BuzzFeed reports as having run on Jan. 5 and Jan. 7. The tweets promised to verify Twitter users who visited a variety of websites with similar URLS, including verifiedreview.today and verifiedreview.online. If people went to those sites, they’d be presented with fields asking for their Twitter passwords, phone numbers, credit card information, and billing address —all of which should have set off alarm bells for savvy Twitter users.

I spotted one of the scam tweets on my timeline over the weekend and immediately thought, “Yep, that’s a scam”; I honestly didn’t realize it was so widespread, though, so I didn’t bother to take a screenshot of it. (Hindsight really is 20/20.) Luckily, though, other folks did, including tech writer Mike Wehner. Here’s what one of the scam tweets — which came from an account that dressed itself up to look like an official account run by Twitter itself — looked like, along with a few screenshots of the phishing website it tried to trick people into using:

And here’s what a second scam tweet — this time geared towards appearing like it came from an actual person — looked like:

The blue check mark that indicates a Twitter account has been verified “lets people know that an account of public interest is authentic,” according to Twitter’s help center — that is, it exists primarily to prevent general confusion and outright impersonation. You might find that little blue check on a wide variety of accounts, including those maintained by businesses or by key figures in the entertainment industry, in fashion, in politics, in media, or in sports. (Full disclosure: I’m verified. I honestly don’t know how or why it happened, but it did at one point a few years ago, and, well… here we are.)

But although its function is meant to be practical, Twitter verification has also become something of a status symbol — and adding to the mystique is the fact that no one really knows exactly why some accounts get verified and others don’t. Sure, you can apply for verification — but accounts that apply are often rejected, even when it seems like they should be verified, and many accounts that probably never should have been verified in the first place have ended up with that coveted blue check next to their usernames.

As such, it’s easy to see how this particular scam could takeoff: It preys on the desire for that status symbol. But — repeat after me — any site that solicits your password, credit card number, or other sensitive info for something like Twitter verification is inherently suspicious. When in doubt, confirm it with the company itself by communicating with them through their official channels — and, honestly, you should probably just expect to be in doubt about anything of this nature as your default setting. Especially since we’ve seen this kind of scam several times before.

Phishing is a very clear violation of the Twitter Rules; Twitter’s help page on the Rules list malware and phishing as activities for which accounts might be “temporarily locked or subject to permanent suspension,” expressly saying, “You may not publish or link to malicious content intended to damage or disrupt another person’s browser or computer or to compromise a person’s privacy.” As such, it’s surprising that both of the Twitter accounts that featured the scam tweets have been shut down. Going to the main page of @SuggestedTweet5 — the one that tried to pass itself off as “official” — now brings you to an “Account suspended” page now, while @TweetsNews80 — the one posing as a person — seems to have been deleted.

Screenshot/Twitter

The phishing sites themselves to which the scam tweets linked have also been taken offline. I actually found that the first line of defense for that site was my browser; when I went to verifiedreview.today, verified review.online,and various other iterations of the URL this morning to confirm their offline status, Chrome helpfully displayed the following page instead:

Screenshot/Chrome

Clicking on “More Details” brings up some additional textreading, “Google Safe Browsing recently detected phishing on verifiedreview.today. Phishing sites pretend to be other websites to trick you.”It then gives you the option to report a detection problem, or—“if you understand the risks to your security” — to visit the site in question. Clicking through to view the site now just brings you to your basic “This site can’t be reached” page.

However, the thing that many Twitter users who spotted the scam have found to be the most troubling is the fact that the scam was executed through Promoted Tweets — one of the forms of paid advertising Twitter offers. Described by Twitter as “ordinary Tweets purchased by advertisers who want to reach a wider group of users or to spark engagement from their existing followers,” Promoted Tweets are always labelled as such in users’ timelines; beyond that,though, they “act just like regular Tweets and can be retweeted, replied to, liked, and more.”

A “Promoted” label appears to give a tweet a certain air of legitimacy to the casual user; however, that’s not actually the case. A tweet being Promoted doesn’t mean it’s any more legitimate than any other tweet — it just means that someone, somewhere paid to have it pushed to more people. It’s an option anyone can exercise; indeed, turning regular tweets into Promoted Tweets just takes a few clicks, so it’s not hard to see how a scammer could easily take advantage of the process.

The issue, some users say, is that scam tweets like the two that just made the rounds seem to have gotten through that process without being flagged. And, yeah, that's a problem. And it's one that people have exploited before, and will continue to exploit until we finally solve it.

If anything, though, we — and our social media platforms — canat least learn from the experience whenever these kinds of scams pop up: Users can learn not to click on anything hand over information to anyone without thoroughly vetting it first, and platforms can design filters or put other systems into place to prevent the scams from seeing the light of day in the first place.

In the meantime, though, here’s your reminder that verification is ultimately like winning Whose Line Is It, Anyway?: Everything is made up and the points don’t matter. Whether you’re verified or not doesn’t determine your — or anyone else’s — worth. And that’s fine.