Cybercriminals are already utilising Twitter’s ongoing verification confusion by sending phishing emails that are intended to steal passwords from unwitting users. A report claims that the phishing email campaign aims to deceive Twitter users into entering their username and password on a website belonging to the attacker that is set up to look like a Twitter assistance form. The email contains links to a Google Doc and a Google Site, which let users host web material. The email is sent from a Gmail account. The number of layers of obfuscation that will likely arise from this will make it more challenging for Google’s automated scanning algorithms to detect abuse. The page does, however, include a frame from another website embedded in it that is housed on the Russian web host Beget and asks for the user’s Twitter handle, password, and phone number. This is sufficient to compromise accounts that do not use stronger two-factor authentication.
Twitter’s verification chaos has now become a cybersecurity issue
