It’s probably a good idea to block t.co domains for a little while

The social media world is going through a shake-up right now. Just in case anyone wasn’t tracking, the world’s richest man, Elon Musk, just bought Twitter for around $44B. It’s been a little more than a week since the dust settled, and Twitter is undergoing significant changes. Perhaps the most critical change that should concern security professionals is the change to Twitter Blue; more specifically, how Twitter Blue now offers a “verification” checkmark.

For a small fee of $8 a month, Twitter Blue now offers anyone a “verification” checkmark. I’m putting verification in quotes here because it’s unclear, at least to me, if the blue checkmark is still meant to be a verification badge or simply a flair to signify that you pay for Twitter Blue. Before Musk acquired the platform, the blue checkmark was separate from the Twitter Blue subscription service and used to authenticate that users were who they said they were. I could be confident that the person on Twitter named Bill Gates with the blue checkmark was, in fact, Bill Gates. Yes, Twitter had some incidents where people could get verified as someone they weren’t, but those were relatively few in the grand scheme. However, anyone can now “verify” their account for $8 a month, which is a security issue.

Whether we should or not, human nature is to place more inherent trust in people we’ve “verified.” I trust my friends’ opinions more than I trust Wikipedia because I know them, whereas Wikipedia is a void of mostly unknown collaborators. Unfortunately, for many people, that verification mark works the same way. I don’t know John Hammond, but I trust his opinion on malware-related subjects. I’ve seen his videos, and I find his thought process sound and technical acumen up-to-snuff, so when I see a tweet from him on a cybersecurity topic, I generally consider it valid. Millions of people share this same thought pattern, maybe not about John Hammond, but generally about topics that interest them.

With anyone being able to “verify” their Twitter name at any time, and the ability to change Twitter names at any time, it can lead to confusion on who is actually the real person. This week alone, I’ve been confused about whether Elon Musk actually said something at least three times as people are protesting the buyout by changing their name to Elon Musk and “verifying” their account. And this will only get worse as malicious cyber actors leverage this new access to inherent trust in the blue checkmark for their phishing campaigns.

You might be asking yourself, why would an adversary pay for Twitter Blue to phish users? And I think the better question is, why wouldn’t they? $8 a month is cheap to a malicious cyber actor versus the trust value they gain. How many users in your environment will click on any link they see when their favorite Twitter celebrity posts it? How many people will look at the Twitter handle (not the username) to verify that the Handle is correct for the actual person? This new “verification” system is already causing massive confusion. I predict we’ll see a substantial increase in Twitter-based phishing attacks (T1566.003) from “verified” accounts in the coming days to weeks.

Twitter shortens all links on their site to “t.co/” to help with the character limits. This shortened link also obfuscated the actual connection from the end user; however, as defenders, we can use this short link to cut down on phishing attempts through Twitter. Blocking “t.co” through a DNS sinkhole technique (M1021) and thus prevent any click-outs from Twitter.

While we wait for the dust to settle with this social media shake-up and for people’s opinions to change about how much trust they place in the blue checkmark, we can preemptively stop the phishing attacks, which are very likely coming if they haven’t started already.

WordPress Appliance - Powered by TurnKey Linux