Scammers Phishing for financial credentials on Twitter

Scammers are using Twitter as a vehicle to target people looking for customer support or asking general questions. They interject themselves into legitimate discussions, offering friendly chatter and a link that directs the target to a Phishing page designed to harvest credentials.

On Twitter, someone – or perhaps a group of people – are following support accounts for large financial institutions and watching their interactions with customers. Depending on the question asked, the scammers will respond to the customer (usually after the official account has) and direct them to take ‘additional’ measures.

Social Engineering is a powerful tool, and given the right construct it can be hard to detect or defend against. The recent Phishing attempts were brought to Salted Hash’s attention, after they were mentioned by Sam Stepanyan on Twitter. It didn’t take long to fine active examples.

For example: One customer who reported login problems with their rewards account to NatWest, a large commercial and retail bank in the U.K., was assisted by the official support account. This initial contact was followed two hours later by the scammers who directed the customer to a website and asked them to “verify your identity in order to reset your password.”

Similar incidents have happened to customers of Nationwide Building Society, another large British bank.

On April 3, a Nationwide customer asked about a special cash back promotion, and after receiving information from support representatives directly, the scammers messaged the same customer and requested they follow a link to validate their account “and check your balance for cashback.”

The scammers sign their messages with names, mimicking the real support accounts and adding an additional layer of legitimacy. In a flood of conversations on Twitter they might appear to be the real thing at a glance, and the target is already expecting a response.

The biggest red flag is the use of obvious unaffiliated domains on free hosting services like 16mb.com and axfree.com. However, at times Salted Hash has observed these Phishing accounts using the ow.ly URL shortening service as a mask.

Over the last week, Salted Hash has followed five accounts running Phishing scams. After reporting them, three were disabled almost immediately. The other two are still active, but it’s expected Twitter will make short work of them. (Update: Twitter suspended the remaining two accounts shortly after they were reported.)

The accounts are actively maintained by the scammers. The moment this reporter alerted the banks to the active Phishing accounts, the scammers blocked me on Twitter – as if such actions would prevent me from monitoring and reporting them.

The problem is, while Twitter reacts to reports quickly, they can only do so much. The moment one account is suspended, another takes its place.

For their part, NatWest and Nationwide have reached out to those customers targeted by the scammers and issued warnings. Yet, like Twitter, there is only so much the banks can do, and only so many hours in a day.

Scams like this have been around for some time. Last October, similar tactics were used against Barclays. The scammers then were using the same type of Phishing page – a generic landing page designed to capture credentials, which was hosted on a free 16mb.com account.

Attacks like these are the risk that’s attached to conducting support on social media. The best defense is awareness, and knowing who you’re interacting with.

For banks like Nationwide and NatWest, their support channels are all verified accounts, and they’ll only discuss the basics online, often via direct message. If you have to obtain support via social media, you should only work with those verified accounts.

Anyone asking for sensitive information via public channels (even verified accounts) should be treated as suspect, especially if they’re directing you to follow links on free hosting services (like the ones shown in the images attached to this story).

If you do accidentally click a link, ensure that the URL is the one you’re supposed to be on, and that it’s using SSL. If you’ve logged in via a fake website, contact your bank and change your password.

If the matter is urgent or involves sensitive details, it’s best to keep it off social media entirely and contact the bank via phone, or go to a local branch.

It’s also worth noting that while the scammers are targeting banks and their customers in these recent scams, they can easily switch to telecommunications (Verizon, T-Mobile, AT&T, etc.) or any other company where customer accounts are valuable.

You don’t have to avoid social media as a means for support, but you should use caution and remain aware of the risks.