Cybercriminals are already taking advantage of Twitter’s ongoing verification chaos by sending phishing emails designed to steal unwitting users’ passwords.
According to TechCrunch, the phishing email campaign attempts to trick Twitter users into entering their username and password on an attacker’s website disguised as a Twitter help form. The email is sent from a Gmail account and includes a link to a Google Doc and another to a Google Site, which allows users to host web content. This is likely to result in several layers of obfuscation, making it more difficult for Google’s automated scanning tools to detect abuse. However, the page contains an embedded frame from another site, hosted on the Russian web host Beget, that requests the user’s Twitter handle, password, and phone number — enough to compromise accounts that do not use stronger two-factor authentication.