Crypto scammers abuse X 'feature' to impersonate high-profile accounts

Trending 2 months ago

Cryptocurrency falling

Cryptocurrency scammers are abusing a morganatic X "feature" to beforehand scams, clone giveaways, and fraudulent Telegram channels utilized to bargain your crypto and NFTs.

On X, formerly Twitter, a post's URL consists of nan relationship sanction of nan personification who tweeted it and a position ID, arsenic shown below.[account_name]/status/[status_id]

The website uses nan position ID to find what station should beryllium loaded from nan site's database, not bothering to cheque if nan relationship sanction is valid.

This allows you to return an URL for a Tweet and modify nan relationship sanction to immoderate you want, moreover high-profile accounts. When visiting nan URL, nan website simply redirects you to nan correct URL associated pinch nan ID.

For example, looks for illustration a morganatic station from our @bleepincomputer X account. However, clicking connected it takes you to a station from Elon Musk, arsenic nan ID is associated pinch 1 of his tweets.

BleepingComputer antecedently reported connected this characteristic successful 2019, erstwhile information interrogator Davy Wybiral expressed concerns that the feature could beryllium utilized for phishing. However, astatine that time, it was not abused successful phishing attacks.

Crypto scams abusing "feature"

Security researcher MalwareHunterTeam has told BleepingComputer that scammers person begun using this redirect mechanism for nan past 2 weeks if not longer, to create URLs that look for illustration they beryllium to legitimate, well-known organizations.

All of nan impersonated organizations seen by BleepingComputer are crypto-related accounts, specified arsenic Binance (11 cardinal followers), nan Ethereum Foundation (3 million), zkSync (1.3 million), and Chainlink (1 million).

Example X redirect crypto scamsExample X redirect crypto scams
Source: BleepingComputer

While nan supra look for illustration tweets from Binance, Ethereum, and zkSync, they alternatively redirected to an unrelated X user's tweets promoting crypto scams. BleepingComputer observed tweets promoting clone crypto giveaways, websites that utilize wallet drainers, and Discord channels promoting pump-and-dumps.

The clone zkSync tweet led to a page impersonating nan institution and promoting a website that nan X organization says is simply a crypto drainer, meaning that erstwhile you link your wallet, it automatically steals each crypto assets and NFTs.

Crypto scam connected XCrypto scam connected X
Source: BleepingComputer

Almost each accounts seen by BleepingComputer abusing this characteristic to beforehand crypto scam posts usage an relationship sanction successful nan format of name+5 digits, specified arsenic @amanda_car16095. 

It is imaginable to select retired immoderate of these tweets by enabling nan Quality Filter under Settings > Notifications > Filters. However, you tally nan consequence of tweets you wish to spot being filtered incorrectly.

X Quality FilterX Quality Filter
Source: BleepingComputer

Most users should instantly beryllium capable to spot a scam tweet by seeing that nan relationship is different than what was successful nan URL. However, some, for illustration nan zkSync URL, whitethorn beryllium missed arsenic nan scammer created an relationship pinch nan institution successful their personification name.

Furthermore, opening these links connected mobile tin beryllium a spot much confusing, arsenic nan app does not show an reside bar, and you simply spot nan post. For many, it could beryllium perceived that a institution for illustration Binance promoted it, making it look much legitimate.

As this redirect is simply a modular characteristic of Twitter, we will apt not spot it changed to make it much secure. That intends if you click connected an X link, you should return a speedy look astatine your reside barroom (if available) to guarantee you are visiting that person's tweet and person not been redirected.