A new social media phishing scam has been uncovered, which involves hackers posing as customer support accounts on Twitter, in efforts to lure victims to phishing sites. The scammers use a social engineering tactic of surreptitiously inserting themselves into a conversation users have with a legitimate customer support account on Twitter, only to eventually steal their login credentials and account details.
According to Malwarebytes, the hackers behind the scam are "going after" Natwest bank logins. "This was a particularly clever scamming technique back in 2014, and it remains as slick as ever in 2016," said Christopher Boyd, malware intelligence analyst at Malwarebytes.
How are victims lured in by the scam?
The scammers create an "imitation account of a real support channel" on Twitter and then go about engaging with potential victims by sneaking into conversation between legitimate business accounts and their clients. "Smart scammers would replicate avatars, Twitter handles, and any other key identifiers as much as possible. If they want to go one step further, they'll see when a support account stops Tweeting (perhaps they're all in bed / off duty) and send their spam during those hours," adds Boyd.
The hackers would then attempt to offer help to the unsuspecting Twitter users and redirect them to a phishing site. In one particular instance, when a user tweeted out a request to the official Natwest account, the scammers posing as Natwest support, jumped right in to take over the conversation. The hackers then prompt users to click on a phishing site ("natwestonline-resolutioncenter(dot)16mb(dot)com"), which according to Bitly Stats, has so far already racked up 18 clicks. The malicious site requests users to input their login details in efforts to steal credentials.
How to stay safe?
Users are advised to always proceed with caution when engaging in conversations on social media. Boyd specifies that customer support accounts of legitimate business on Twitter generally have a blue verified tick, which indicates that the account is run by officials of the business and can be trusted. It is also wise to check how many followers the support account has, as legitimate accounts generally have quite a few followers, unlike scam accounts.
"Is the support account trying to send you to a website? Is your query, which doesn't really require a website visit, being immediately directed to somewhere you have to login? Is the website asking you to login sitting on a free webhost / not a HTTPS site? If so, you should probably steer clear. Pay close attention to any and all replies – 10 seconds spent ensuring the Twitter URL of the account messaging you matches the account you initially spoke to is infinitely preferable to losing your bank login to a scammer," Boyd added.