Just yesterday, Twitter accounts owned by IT consultancy Capgemini, the Consulate General of India in Germany, California state senator Ben Allen, and Israeli politician Rachel Azaria, were exploited by scammers who used them to promote bogus cryptocurrency giveaways.
The scam works by offering users who transfer a small amount of Bitcoin (say, 0.1 Bitcoin) a large amount in return (say, 10 Bitcoin). If that offer sounds too good to be true, well… it is.
We’ve seen a spate of verified Twitter accounts meddled with by scammers in recent weeks, and there’s no sign that Twitter is getting any better at stopping it.
The latest high profile account to come under attack? US retail giant Target (which is, of course, no stranger to being hacked).
Since this article was first published, Target has been in touch with the following statement:
“Early this morning, Target’s Twitter account was inappropriately accessed. The access lasted for approximately half an hour and one fake tweet was posted during that time about a bitcoin scam. We’re in close contact with Twitter, have deleted the tweet and have locked the account while we investigate further.”
Quite why Twitter is allowing promoted ads to be created that are obviously scammy is a mystery to me. Are they really not able to put measures in place to prevent the scammers from posting their fraudulent tweets? Or do they think it’s a low priority?
I’d love to know how this is possible, but in the meantime I would urge all Twitter users to ensure that they have enabled two-factor authentication via a third-party application, and revoke access rights for any un-needed third-party apps.
Talking of which, isn’t it about time Twitter made 2FA mandatory (known as “Login verification” on Twitter) on verified accounts?
I think if Twitter wants to better protected its verified users, it should make Login Verification compulsory. And if a user turns off Login Verification, they should also lose their verified “tick”.
For further discussion of the earlier attacks, and other stories from the world of security and online privacy, be sure to check out the “Smashing Security” podcast: