1-Click Phishing Campaign Targets High-Profile X Accounts1-Click Phishing Campaign Targets High-Profile X Accounts

An active, one-click phishing campaign is targeting the X accounts of high-profile individuals — including journalists, political figures, and even an X employee — to hijack and exploit them to commit cryptocurrency fraud.

Researchers at SentinelLabs uncovered the campaign, which they said appears to be most prominent on X but is not limited to a single social media platform, they revealed in a recent blog post. The goal of attackers is ultimately to use the potential reach of the high-impact accounts — which also include technology and cryptocurrency organizations as well as owners of accounts with valuable, short usernames — to target people with crypto scams for financial gain, the researchers said.

"Once an account is taken over, the attacker swiftly locks out the legitimate owner and begins posting fraudulent cryptocurrency opportunities or links to external sites designed to lure additional targets, often with a crypto theft-related theme," SentinelLabs threat researchers Tom Hegel, Jim Walter, and Alex Delamotte wrote in the post.

Ultimately, this compromise of high-profile accounts — a tactic used before by cybercriminals, most notably in targeting celebrity Twitter accounts in 2020 — enables the attacker to reach a broader audience of potential secondary victims, maximizing their financial gains, the researchers noted.

Related:Ransomware Groups Weathered Raids, Profited in 2024

Indeed, the campaign is also similar to one uncovered last year that compromised the Linux Tech Tips X account along with other high-profile users. The researchers discovered related infrastructure and similar phishing messages used in both campaigns, evidence that suggests the same threat actor is behind both, they said. However, at this time it's not known from which region of the world the actor hails, or who might be behind the campaign.

Classic Fake Crypto Lures & Adaptable Infrastructure

SentinelLabs observed a variety of phishing lures being used in the campaign, including a "classic account login notice" that targets people with an email informing them that someone logged into their account from a new device. The email includes a link suggesting they "take steps to protect" their account which actually leads to a site that phishes X credentials, according to the post.

Other email-based lures use copyright-violation themes to get users to click on a phishing page that ask them to enter their X credentials. In recent cases, the phishing page to which victims were redirected abused Google's "AMP Cache" domain cdn.ampproject[.]org to evade common email detections, according to SentinelLabs.

Related:Can AI & the Cyber Trust Mark Rebuild Endpoint Confidence?

Infrastructure used in the account suggests that the actor behind the campaign is "highly adaptable, continuously exploring new techniques while maintaining a clear financial motive," the researchers wrote.

Recent activity used the domain securelogins-x[.]com to deliver emails and x-recoverysupport[.]com to host phishing pages. As "any of these domains can be considered email delivery or phishing-page hosting," the activity indicates "a level of informality and flexibility of infrastructure use," the researchers observed.

Attackers also hosted a flurry of recent activity on an IP associated with a Belize-based VPS service called Dataclub. The domains associated with the campaign have been predominantly registered through Turkish hosting provider Turkticaret, but this alone is not enough to confirm that the attackers are from Turkey, the researchers added.

Protect Your Corporate Social Accounts

High-profile X accounts are often targets for threat actors because controlling them can help them reach a wider audience with fraudulent activity. Often this activity involves crypto scams aimed at financial fraud, such as a case last year in which security firm Mandiant temporarily lost control of its X account to cryptocurrency drainer malware operators.

Related:PrintNightmare Aftermath: Windows Print Spooler Is Better. What's Next?

"The cryptocurrency landscape offers financially-motivated threat actors multiple opportunities for profit and fraud," the researchers noted in the post. "While marketing for coins and tokens has long been irreverent and meme-driven, recent developments have further blurred the line between legitimate projects and scams."

To protect an X account, the researchers recommended the obvious: users should maintain good password hygiene by using a unique password, enabling two-factor authentication (2FA), and avoiding credential sharing with third-party services.

People also should be especially wary of messages containing links to account alerts or security notices, and always verify URLs before clicking on them. If their accounts do need a password reset for security purposes, these should be initiated only directly through the official website or app rather than relying on unsolicited links, the researchers advised.