Phishing Domain Poses as Twitter Verification Site
When we first saw a little blue circular cloud shape with a check next to Ashton Kutcher’s and Oprah Winfrey’s names years ago, I reckon the first thoughts that came into the minds of Twitter users were “What is that? How can I get that?”
Today, the verification badge is a known mark, signifying that an influential brand and persona online are indeed what or who they say they are. This feature, however, is not for the general public.
Twitter’s Verified badge mainly caters to known online personas, company identities, and entertainment personalities because many had already imitated their accounts in the past. We’ve seen users do it for giggles, to make a point, gain instant followers, or simply to squat.
We found a fake Twitter website that promises to authenticate the identity of a user, celebrity or not, so they too can own a badge. Here’s what it looks like:
It’s important to note that all image and text links lead to legitimate pages hosted on Twitter’s domain. Using this tactic would likely make any user believe that they’re on a legitimate page.
Once the user name and password fields are filled in, the page then sends a POST request to a PHP page where the scammer can retrieve all the gathered information handed over to him/her. While this happens on the back-end, the front-end website redirects users to Twitter’s FAQ page about verified accounts.
The lack of an account’s Verified badge does not deter scammers from successfully fooling users as evidenced by the fake FIFA accounts we’ve seen since May. Scammers only got creative, and will likely continue to be.
As such, it is beneficial for social network users—those using Twitter, in particular—to continue to learn new spam and phishing tactics as they evolve over time.