Twitter phishing campaign is targeting Blue subscribers amidst X rebranding

Twitter’s erratic changes since Musk’s acquisition, including the recent rebranding to X, have caused widespread confusion among users. Taking advantage of this havoc, threat actors have launched a new phishing campaign, targeting unsuspecting Twitter Blue subscribers in an attempt to gain unauthorized access.

First discovered by the Twitter Blue user @fluffypony, the phishing emails appear deceptively authentic, seemingly originating from a reputable source labelled ‘[email protected].’ And although the emails do appear legitimate, threat actors are sending them through the mailing list platform, Sendinblue, now known as Brevo. Additionally, to make matters worse, the emails successfully pass SPF authentication checks, further enhancing their perceived trustworthiness.

What do the emails contain?

Taking advantage of the rebranding, the emails claim that the recipient’s existing Twitter Blue subscription is about to expire, urging them to migrate to the new platform, X. To achieve this migration, users are prompted to click on a link that directs them to what appears to be a legitimate API authorization page. Unfortunately, unsuspecting users who authorize this new X app unknowingly grant access to their entire Twitter accounts, including the ability to view, update, and delete followers, manipulate profile and account settings, post and delete Tweets, and engage with other Tweets.

How to regain access?

If you have unknowingly fallen victim to this phishing scam or a similar one, you can get your account back by revoking access to Twitter’s API. To do this, head over to Settings > Security and Account access > Apps and Sessions > Connected Apps, and revoke permissions for any suspicious or unrecognized apps. Afterwards, change your Twitter password immediately and enable 2-step authentication, preferably using non-SMS methods like One-Time Passwords (OTP).

However, this incident once again raises concerns about Twitter’s practices, which have repeatedly caused widespread confusion among users. Additionally, users should remain vigilant and exercise caution when dealing with any emails advising them to take immediate action.