The new year came in with a new phishing scam that targets Twitter users through Twitter ads claiming to offer verified account status. In reality, the link provided takes victims to a phishing site where they are required to fill in personal details including Twitter username and password and also credit card details. While the rest of the fields can be left blank, the credit card information is obligatory to be able to submit the form.
The phishing site looks credible enough mimicking Twitter’s branding, color schemes and logo. It may attract users that don’t have the resources to meet Twitter’s requirements for verifying accounts of public interest.
The suspicious thing was that the link takes users to a domain /twitterhelp[.]info/ only registered in December and resolving to an IP address previously used for phishing.
This scheme is not very technically sophisticated but it was effective because it combined phishing methods with social engineering to make a profit. It can work on other social media just as well. Its failure depends mainly on the discernment of the user so raising user awareness and ad-blocking software will be of help.
There isn’t much big brands can do to avoid misuse of their branding and domains. As a precaution, companies can use trademark monitoring services to make sure they’ll know if someone else is using their trademarked domains.
This post is about phishing scams. To learn more, go to <Over 400,000 Phishing Websites Detected Each Month in 2016>.
To find out what is trademark monitoring, go to <What you Need to know about Protecting your Brand Online>.