author photo
By Cam Sivesind
Tue | Nov 1, 2022 | 10:12 AM PDT

Halloween may have just passed, but things are getting spooky for Twitter users that are being scammed by cybercriminals taking advantage of Elon Musk's purchase of the social media behemoth.

With all of the changes—namely, increasing the cost of the Twitter Blue subscription service from $4.99 to $20 per month—hackers are taking advantage of the verification process being revamped under the new Musk-led version of the company.

Phishing emails are being sent to verified Twitter Blue users telling them they don't have to pay for that "blue check mark" if they simply state they are a well-known person. The goal? Getting users to turn over their Twitter credentials.

Signs that the campaign is a phishing scam:

  • Poor grammar and writing that no business would publish (a hallmark of phishing scams)
  • Email comes from a Gmail address (Twittercontactcenter@gmail), not an official Twitter domain
  • Once the "provide information" button is clicked, users are taken to a Google Docs page. A link in that document goes to a Google site, where the page has an embedded form area (on another site) for people to submit their Twitter account username, password, and (yes) phone number.

Google has since taken down the site. Accounts that do not use multi-factor authentication (MFA) are most affected.

Clearly, scammers are taking advantage of Twitter users who are looking to avoid having to pay the increased monthly cost of keeping that blue check mark and verified badges (premium features).

"I've been getting spearphished by credential theft spam posing as a verified user change since last Friday," said Casey Ellis, Founder and CTO at Bugcrowd. "Attackers capitalize on high profile, chaotic events and changes to drive pretext for lures likes this. This campaign is a reminder that it doesn't need to be a hurricane, a pandemic, or other kind of calamity to trigger this kind of attacker behavior."

Some users blame the lack of transparency and clear direction on future verification processes from Twitter since it went private under Musk's ownership.

"Every internet disruption always results in cybercriminals looking for ways to take advantage, and the Twitter blue tick is the perfect storm," said Joseph Carson, Chief Security Scientist at Delinea.