Phishing Attack Hijacks X Accounts to Promote Scams

Home/BOTNET, Compromised, Exploitation, Internet Security, malicious cyber actors, phishing, Security Advisory, Security Update/Phishing Attack Hijacks X Accounts to Promote Scams

Phishing Attack Hijacks X Accounts to Promote Scams

A new phishing campaign is targeting high-profile X (formerly Twitter) accounts.

SentinelLABS found that attackers aim to hijack accounts of U.S. political figures, journalists, X employees, and cryptocurrency groups.

Hackers then use these accounts to promote crypto scams for financial gain.

They trick users with phishing tactics like fake login alerts and copyright violation warnings to steal credentials.

Malicious links in these messages lead victims to phishing sites that steal login credentials.

Attackers exploit Google’s AMP Cache to bypass security filters and redirect users to fake pages.

Once an account is compromised, the owner is locked out, and the account is used to spread scams.

Infrastructure Shows Flexibility

The campaign’s infrastructure is highly adaptable.

Phishing domains like “securelogins-x[.]com” and “x-recoverysupport[.]com” host fake login pages, while related domains handle email delivery.

Much of the activity traces back to a Belize-based VPS provider, with domain registrations linked to a Turkish hosting service.

Some phishing sites use FASTPANEL, a legitimate hosting service favored by cybercriminals for its ease of use and scalability.

Domains like “buy-tanai[.]com” act as placeholders, ready for quick updates to match new attacks.

The campaign extends beyond X accounts, employing similar tactics on platforms like Telegram. Recent breaches, such as those involving the Tor Project’s official X account and DAWN’s social media, have been used to lure victims into phishing traps targeting cryptocurrency enthusiasts.

Historical analysis connects these incidents to past attacks, including the 2024 compromise of Linus Tech Tips’ X account.

The attackers’ financial motives are evident in their promotion of fraudulent cryptocurrency projects, with domains like “buy-tanai[.]com” linked to pump-and-dump schemes involving tokens like TANA AI.

These scams take advantage of cryptocurrency volatility to make quick profits at investors’ expense. To stay safe, users should enable 2FA, use unique passwords, and avoid unsolicited links. Verifying URLs and resetting passwords through official platforms can further reduce risks.

Organizations should invest in advanced threat detection to counter phishing attempts. The SentinelLABS Report highlights how cybercriminals are evolving their tactics to exploit social media for financial gain. As threats grow more sophisticated, vigilance is key to protecting digital identities and assets.

Indicators of Compromise

Domains
buy-tanai[.]com
dataoptimix[.]com
gamecodestudios[.]com
infringe-x[.]com
protection-x[.]com
rewards-dawn[.]com
securelogins-x[.]xyz
shortwayscooter[.]com
violationappeal-x[.]com
violationcenter-x[.]com
x-accountcenter[.]com
x-changealerts[.]com
x-logincheck[.]com
x-loginhelp[.]com
x-passwordrecovery[.]com
x-recoveraccount[.]com
x-suspiciouslogin[.]com

SHA-1
e2221e5c58a1a976e59fe1062c6db36d4951b81e – PHP file containing URL associated with X credential phishing activity

Post Views: 43
By | 2025-02-04T00:44:57+05:30 February 3rd, 2025|BOTNET, Compromised, Exploitation, Internet Security, malicious cyber actors, phishing, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!