There’s a “gold rush” on the dark web as threat actors target verified accounts on X, formerly Twitter, for large-scale attacks, cybersecurity experts at CloudSEK warn.
A “surge” of posts selling accounts with X gold verification has been observed on dark web forums and marketplaces, as well as Telegram channels, the experts said in a new report.
Verified organizations on X can purchase a gold checkmark, part of the platform’s verification system. This also includes blue badges for premium subscribers and gray ones for NGOs and government agencies.
According to CloudSEK, accounts on sale are acquired using various methods, including manual creation, brute-forcing the existing accounts, and using malware to harvest credentials.
“A hacked or compromised Twitter account can be exploited to mass spread phishing campaigns. This, in turn, damages the reputation and brand of the company whose account was compromised,” the firm said.
According to the researchers, cybercriminals prioritize corporate and influencer profiles with high followings, favoring dormant accounts that can be upgraded to a 30-day gold subscription.
The price of the accounts on sale ranges from $35 for an inactive account, which can be converted into a gold subscription, to up to $2,000 for a gold account of a certain brand and follower count.
“Such advertisements also allow multiple opportunities for cybercriminals to become a guarantor of the deals since large amounts are involved. Additionally, such accounts are resellable, enabling a whole reseller market behind compromised accounts,” CloudSEK said.
Twitter’s gold subscription tier was announced in December 2022, and the first threat actor posts looking to buy verified gold accounts were traced to March 2023.
In September that same year, an X account of Ethereum co-founder Vitalik Buterin was hacked and used for a phishing scam that robbed victims of $690,000 worth of crypto in just 20 minutes.
According to CloudSEK, organizations can take several steps that can prevent them from falling victim to similar takeovers.
One is to ensure their dormant accounts are closed for good after being inactive for an extended period of time. Another measure is brand monitoring, which could help detect and respond to incidents such as fake profiles and malicious content more quickly.
Proper employee training when it comes to the best cybersecurity practices could protect credentials from information stealer malware. “Password policies should be updated, such as replenishing the account passwords regularly. Employees should be educated against the use of cracked software and its dangers,” CloudSEK said.
Cybersecurity experts also encouraged using native password managers rather than saving passwords in web browsers, as well as installing endpoint security software on employee devices to detect the presence of malicious software.