A recent surge in phishing attacks has targeted high-profile individuals, including journalists, political figures, and even an employee of a major company known as X. The attackers behind this campaign are using compromised accounts to promote cryptocurrency fraud schemes, according to reports from SentinelLabs.
The phishing campaign, disclosed by researchers at SentinelLabs in a recent blog post, has primarily targeted X accounts but is not limited to a single social media platform. The ultimate goal of the attackers is to leverage the reach of these influential accounts to lure individuals into cryptocurrency scams for financial gain.
Once an account is compromised, the legitimate owner is locked out, and the attackers begin posting fraudulent cryptocurrency opportunities or links to external sites designed to deceive more victims. This tactic, known as account takeover, has been used by cybercriminals in the past to maximize their financial gains by reaching a broader audience of potential secondary victims.
This type of attack is not new and bears similarities to a previous campaign that targeted the Linux Tech Tips X account and other high-profile users. The researchers at SentinelLabs discovered similar infrastructure and phishing messages used in both campaigns, suggesting that the same threat actor may be behind both attacks. However, the geographic origin of the attacker remains unknown at this time.
The phishing lures used in this campaign range from classic account login notices to email-based themes like copyright violations. Victims are directed to phishing pages that resemble legitimate login screens where they are prompted to enter their X credentials. Some of the phishing pages were hosted on Google’s AMP Cache domain to evade detection by email security filters.
The infrastructure used by the attackers indicates a high level of adaptability and sophistication. Domains like securelogins-x.com and x-recoverysupport.com were used for email delivery and hosting phishing pages, respectively. The attackers also leveraged an IP associated with a Belize-based VPS service and registered domains through a Turkish hosting provider, demonstrating a flexible approach to infrastructure use.
Protecting corporate social media accounts from these types of attacks is crucial. Controlling high-profile X accounts provides threat actors with a platform to reach a wider audience with fraudulent schemes, such as cryptocurrency scams. Implementing strong password hygiene, enabling two-factor authentication, and avoiding credential sharing are essential steps to safeguarding accounts from compromise.
As the cryptocurrency landscape continues to attract financially motivated threat actors, individuals must remain vigilant against phishing attempts and always verify the legitimacy of URLs before clicking on them. Password resets should only be initiated through official channels rather than following unsolicited links to mitigate the risk of falling victim to these types of attacks. By staying informed and practicing good security habits, users can help protect themselves and their accounts from malicious actors seeking to exploit them for financial gain.