Cryptocurrency scammers are abusing Twitter's legitimate "feature" to promote scams, fake gifts, and fraudulent Telegram channels used to steal your cryptocurrency and NFTs.
In X, formerly more commonly known as Twitter, the URL of a post contains the account name and status ID of the person who tweeted it, as shown below.
https://twitter.com/[account_name]/status/[status_id]The site uses the state ID to determine which records to load from the site's database without checking that the account name is correct.
This allows you to take a tweet's URL and change the account name to anything you want, even for high-profile accounts. When you visit a URL, the site redirects you to the correct URL associated with the ID.
For example, https://twitter.com/BleepinComputer/status/1736650221243826564 looks like a legitimate post of one of his tweets from our @bleepincomputer account.
BleepingComputer reported on this feature in 2019 when security researcher Dave Viviral expressed concern that the feature could be used for phishing purposes. But at that time, phishing attacks were nothing out of the ordinary.
Security researcher MalwareHunterTeam told BleepingComputer that scammers began using this redirect method two weeks or more ago to create URLs that look like legitimate and well-known organizations.
All of the fake organizations that BleepingComputer found were cryptocurrency-related accounts such as Binance (11 million followers), Ethereum Foundation (3 million), zkSync (1.3 million), and Chainlink (1 million).
While the tweets in question are similar to Binance, Ethereum, and zkSync, user X redirected them to tweets promoting cryptocurrency scams. BleepingComputer has seen tweets promoting fake cryptocurrency giveaways, websites exploiting wallet leaks, and Discord channels promoting pump and dump.
The fake zkSync tweet leads to a page impersonating the company, and the X Community claims that when you connect your wallet, it automatically steals all your crypto assets and NFTs.
Almost every account that BleepingComputer has found abusing this feature uses the +5 character account name to promote crypto scam posts, such as @amanda_car16095.
Some of these tweets can be filtered by turning on the quality filter in Settings > Notifications > Filters . However, you run the risk of incorrectly filtering the tweets you want to see.
Most users will be able to spot a fraudulent tweet immediately if the account is different from the one listed in the URL. However, some of them, such as the zkSync URL, may be missing because the scammer created an account with the company under their username.
Also, opening these links on a mobile phone can be a little confusing since the app doesn't display an address bar and you only see the message. To many, it may seem like a company like Binance has stepped up its game, making it more legitimate.
Since this redirect is a standard Twitter feature, we likely won't see it change to make it more secure. Means if pressed.