Dec 8, 2021
0 0

Twitter bots pose as support staff to steal your cryptocurrency

Written by

Grafana fixes zero-day vulnerability after exploits spread over Twitter
Google disrupts massive Glupteba botnet, sues Russian operators
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
New Cerber ransomware targets Confluence and GitLab servers
Moobot botnet spreading via Hikvision camera vulnerability
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Grafana fixes zero-day vulnerability after exploits spread over Twitter
AWS outage impacts Ring, Netflix, and Amazon deliveries
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Scammers monitor every tweet containing requests for support on MetaMask, TrustWallet, and other popular crypto wallets, and respond to them with scam links in just seconds.
To conduct these targeted phishing attacks, scammers abuse Twitter APIs that allow them to monitor all public tweets for specific keywords or phrases.
If those phrases are present, these same programs will direct Twitter bots under the scammer’s control to automatically reply to the tweets as fake support agents with links to scams that steal cryptocurrency wallets.
These attacks are nothing new, and we reported on them in May. However, these attacks have expanded to other cryptocurrencies, and the scams continue to run rampant.
Therefore, we felt it was vital for our readers to revisit this attack and illustrate how it works, so you do not accidentally become a victim.
In tests conducted by BleepingComputer, tweets containing the words ‘support,’ ‘help,’ or ‘assistance’ along with the keywords like ‘MetaMask,’ ‘Phantom,’ ‘Yoroi,’ and ‘Trust Wallet’ will result in almost instantaneous replies from Twitter bots with fake support forms or accounts.
Other keywords have mixed results, such as wallets’ names and the word ‘stolen.’
Our first test of these cryptocurrency scam bots was to pack a tweet with numerous keywords and see what would happen.
I need trust wallet metamask phantom yoroi support! I lost all my crypto and password recovery phrase.

Come on all you bots!
We then conducted further tests to try and narrow down what keywords would trigger the bot’s replies.
Within seconds of posting our tests, we received replies from numerous scam accounts pretending to be MetaMask and TrustWallet support accounts, “previous victims,” or helpful users.
Fake MetaMask support account
Fake Phantom support account
Trustwallet scammer
Yoroi scammer
All of the scammer’s replies share a common purpose – to steal the recovery phrases for a victim’s wallet, which the attackers can then use to import the wallet onto their own devices.
To steal the recovery phrases (aka seed phrases), the threat actors set up support forms on Google Docs and other cloud platforms.
These forms impersonate a basic support form, asking the user for their email address, the problem they are having, and their wallet’s recovery phrase, as shown by the fake MetaMask support form below.
When prompting for the recovery phrase, they include silly language about it being processed by their “encrypted cloud bot,” likely to try and convince the user to post the sensitive information.
Once the recovery phrase is sent to the attackers, it’s game over and they now have full access to the cryptocurrency within your wallet and can transfer it to other wallets under their control.
Before you say that no one falls for these scams, sadly, that is untrue, and Twitter users have had their wallets, cryptocurrency, and NFTs, stolen.
@merchant_token I wasn’t able to change my withdrawal address from Binance to metamask, so I contacted and have been fooled by a fake metamask support @MetaMasko who stole my tokens from my Metamask Wallet.
Thank you Kenzie. I was getting what I thought was customer support for funds that were missing since last week. The fake customer support shared a link , and through that they extracted my Metamask. I’ve been all day trying to at least recover art that wasn’t sold.
Twitter told BleepingComputer that using Twitter APIs to spam is against the rules and that they are actively working on new methods to prevent these attacks.
“It’s against our rules to use scam tactics on Twitter to obtain money or private financial information, including through automated activity. Our Developer Policy also strictly prohibits the use of the Twitter API and developer products to spam people,” explained a Twitter spokesperson.
“When we identify apps or accounts that violate these policies, we take appropriate enforcement action. We’re constantly adapting to bad actors’ evolving methods and we’ll continue to move quickly to address cryptocurrency scams on the platform as they evolve. “
As a general rule, you should never share your wallet’s recovery phrase with anyone. The recovery phrase is only for you, and no legitimate support person from MetaMask, TrustWallet, or elsewhere will ever ask for it.
It is also important to remember not to share your screen with an untrusted user who then requests that you display your recovery phrase. At that point, they can simply take a screenshot and write it down manually.
Ultimately, these attacks will continue unless Twitter figures out a way to prevent these bots from running rampant, restrict the use of specific keywords, or put more stringent controls on who can join their developer platform.
Update 12/7/21: Added statement from Twitter.
Crypto investors lose $500,000 to Google Ads pushing fake wallets
Alleged Twitter hacker charged with theft of $784K in crypto via SIM swaps
QNAP warns users of bitcoin miner targeting their NAS devices
As Twitter removes blue badges for many, phishing targets verified accounts
The Week in Ransomware – December 3rd 2021 – Seizing Bitcoin
Everything related to Bitcoin is a scam including Bitcoin itself

Why does anyone think any other crypto coins would be different

Combine a pyramid scheme / a money laundering scheme + a pack of lies and all you get is another crypto scheme to defraud you of “real” money
Not a member yet? Register Now
Hundreds of SPAR stores shut down, switch to cash after cyberattack
Russian hacking group uses new stealthy Ceeloader malware
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.