A widespread scam pretending to be from Elon Musk and utilizing a stream of hacked Twitter accounts and fake giveaway sites has earned scammers over 28 bitcoins or approximately $180,000 in a single day.
This scam is being pulled off by attackers hacking into verified Twitter accounts and then changing the profile name to “Elon Musk”. They then tweet out that he, being Elon, is creating the biggest crypto-giveaway of 10,000 bitcoins. Even worse, these posts are being promoted through Twitter advertising in order to give them wider visibility and to add legitimacy.
Commenting on how Twitter’s verification system facilitated the scam is Paul Bischoff, Privacy Advocate with Comparitech.
Paul Bischoff, Privacy Advocate at Comparitech:
“The nature of this scam brings to light some seemingly obvious issues with Twitter’s verified account system. The thieves hacked verified accounts and switched the name to Elon Musk to get attention and credibility. If the purpose of the blue checkmark is to assure a person’s handle matches their real identity, then why is it possible to change a verified account’s display name? Changing the name should immediately invalidate the verified status.
Second, these accounts used Promoted Tweets, ads from which Twitter earns a commission. The implication is that Twitter takes money from people who defraud users of its own network.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.