On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as âXâ. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms.Â
Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to âtwitter-xâ and âtwitter fundâ to promote scam links with new X branding.Â
Figure 1. Twitter-X-themed YouTube Live Stream by scammerÂ
Â
Figure 2. Twitter X Crypto ScamÂ
Â
This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealing malware as email attachments. When password stealer malware is executed, the influencerâs session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems.Â
Figure 3. Malware Flow Chart Â
Â
After the influencerâs account has been compromised, the scammer starts to rename channels, in this case to âTwitter CEOâ and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as âThanks Mr.Elonâ. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.
Protection with McAfee+:Â
 McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, youâll feel safer online because youâll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.
Figure 4. McAfee WebAdvisor detectionÂ
Â
Below is a detection heatmap for scam URLâs targeting twitter-x and promoting crypto scams.  Â
Figure 5. Scam URL Detection HeatmapÂ
Â
Figure 6. Password stealer HeatmapÂ
Â
Indicators of Compromise:Â
Scam SiteâŻÂ | Crypto TypeâŻÂ | WalletâŻÂ |  |
twitter-x[.]org | ETHâŻÂ | 0xB1706fc3671115432eC9a997F802aC79CD7f378a |  |
twitter-x[.]org | BTCâŻÂ | 1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsug |  |
twitter-x[.]org | USDTâŻÂ | 0xB1706fc3671115432eC9a997F802aC79CD7f378a |  |
twitter-x[.]org | DOGEâŻÂ | DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9J |  |
Â
Introducing McAfee+
Identity theft protection and privacy for your digital life
Download McAfee+ Now
source: McAfee Labs