Security
Headlines
HeadlinesLatestCVEs

Headline

Twitter Scammers Stole $1,000 From My Friend—So I Hunted Them Down

After scammers duped a friend with a hacked Twitter account and a “deal” on a MacBook, I enlisted the help of a fellow threat researcher to trace the criminals’ offline identities.

Wired
#web#mac#apple#git#intel#auth

Embarrassed, angry, victimized. That’s just a few of the words my friend uses to describe his recent run-in with a cybercriminal that used a hacked Twitter account to scam people out of hundreds of dollars. Twitter, meanwhile, ignored his pleas for help. That’s when I got involved.

After Tim Utzig lost $1,000 to a fraudster who tricked him using a hacked Twitter account, I asked an expert in social engineering and hunting scammers to help. Ultimately, we tracked down the suspected culprits and identified a network of apparent scammers and money mules expertly swindling people out of their savings. This scamming saga shows how fraudsters use social media, build a network of people to operate different payment accounts, and apply effective techniques to bilk their victims.

It also shows the additional challenges that blind users like Utzig face on the internet and how they are at higher risk of exploitation by indiscriminate online criminals.

Inaccessible and Unacceptable

On May 23, Utzig realized he’d been scammed. He was gearing up for a journalism master’s program at the City University of London and happened to be in the market for a new laptop. By coincidence, someone using the Twitter account of longtime Baltimore sports reporter Roch Kubatko tweeted that they had a new Apple laptop for sale. Utzig trusted Kubatko, whom he’d previously met, and the tweet seemed innocent—and arrived at the perfect moment. So Utzig responded to the tweet with a DM.

Utzig uses a screen reader to navigate the internet and social media apps, including Twitter. A sighted person may have observed oddities in the initial tweet and profile, but the screen reader did nothing to alert Utzig about a key fact: Kubatko’s Twitter account had been hacked, and the person he was talking to wasn’t Kubatko.

“I feel like people with disabilities as a whole are more susceptible to online fraud—screen readers are just one of the methods used by a population who are visually impaired or blind to assist in using technology,” Utzig says. “You’re going to miss certain visual cues that might signify fraud, such as someone changing their profile picture to something different, and the screen reader won’t pick up on it.”

Screen readers also often don’t vocalize misspellings, inaudible grammatical errors, or typography such as fully capitalized words that a sighted person may see as suspicious. And the alternative text on image descriptions, which are manually applied by the individual sharing the content, is the only way a screen reader can describe an image.

Then there’s Twitter itself. Check marks are now effectively useless, especially if you’re blind. Since Twitter changed its verification system under Elon Musk’s ownership, the blue tick that used to be a reliable sign of identity can now be obtained by pretty much anyone. A screen reader will call the Twitter Blue check mark “verified” as before, but the blind user can no longer rely on it as much as they once did.

Recent moves by Twitter concern accessibility advocates. Last year, Twitter laid off its accessibility team, which was responsible for ensuring the platform was usable for people with disabilities, and restrictions on Twitter’s API broke some tools and resources used by blind people. These changes prompted the National Federation of the Blind to move away from Twitter and create a Mastodon server, which the group says is more friendly and accessible for blind users.

“You have people with disabilities scammed, and yet you laid off your whole accessibility team,” Utzig says. “It takes a team to maintain a safe and accessible platform for people with disabilities to use it.”

Then, to top it all off, Twitter is now rebranding as X, with the goal of creating an “everything app” that will apparently also process payments and serve as a “bank.” This, despite the fact that just two months before the X rebranding, the very same platform was being used to swindle people out of their hard-earned cash.

A $1,000 Loss

Courtesy of “Steve”

After a short conversation with not-Kubatko, the person controlling the account asked him for his phone number to send a payment request via Apple Pay. When Utzig followed up after making a payment, he realized the phone number had blocked his number.

Utzig quickly realized he had just paid $1,000 to a criminal. He then reported the account to Twitter. The company did not respond to his requests for help, and the account remained active for days after it was reported as hacked.

Utzig turned to the media for help and reached out to a local reporter. When a local Maryland news station contacted Twitter for comment, the company responded with the poop emoji, the response that press requests have been receiving since March 2023. Utzig says that response made the situation feel so much worse—not only had he lost a lot of money, but the platform he used and loved didn’t care at all about the serious personal and financial impact on its users who were victims of crime.

In the eight months since Musk bought Twitter in October 2022, the platform has increasingly been home to fraudulent accounts. Users across the site have reported a massive uptick in spammers and scammers tweeting, replying to users, and messaging them directly. There have also been multiple reported instances of hacked, high-profile accounts distributing fraudulent content.

Utzig says his DMs are filled with sketchy accounts either sending spam directly or trying to engage in conversation. The social engineering expert I contacted, who asked to use a pseudonym because they carried out this investigation outside their normal work duties, operates several Twitter accounts both for research and personal use. He—let’s call him Steve—says that in the past few months, the number of malicious accounts he observes on the platform has skyrocketed, especially accounts likely associated with pig butchering. This social engineering threat, which is used to drain people’s bank accounts through bogus investment advice, typically originates on social networks and messaging apps and was recently identified by the US Federal Bureau of Investigation as the most costly online threat, with users reporting billions of dollars in losses in 2022.

Social media fraud is part of an ecosystem of online crime that relies on social engineering and trust between users. There are many different kinds of fraud originating on social media, including pig butchering and other financial or cryptocurrency scams, romance scams, and consumer fraud like the kind Utzig experienced.

The attack that hit Kubatko appears similar to a series of related hacks that took over accounts of high-profile Twitter users, and which has been ongoing since at least January of this year. The scammers all used similar language and photos about offering laptops for sale. It is not clear whether the hacked accounts and related scams are all operated by the same people. A search of the language used in the tweet suggests the scammers are still active on the platform. Kubatko, who did not respond to WIRED’s request for comment, eventually got his Twitter account back and apologized to Utzig when he learned of the financial loss.

Different scams require different levels of sophistication; for example, hacking Twitter accounts of high-profile users, many of whom may use multi-factor authentication, is typically more difficult than using said accounts to scam users. It is possible the individuals who swindled Utzig are not the ones who initially hacked Kubatko’s account, but they may have purchased access from the original hacker to use as their scamming platform.

Trap and Trace

Steve was enraged that Utzig had been swindled, and offered to help. But all we had was a phone number. So he contacted the number and told the person on the other end that he was interested in buying laptops. Immediately, he received a text from a different number: “Are you looking for laptops?”

Throughout the conversation, Steve said he was willing to pay via Bitcoin, Cash App, or Zelle. Bitcoin wallet information is useful because all transactions are stored on the blockchain, and you can use it to “follow the money” and identify how much money accounts have made. It’s also possible to cross-reference blockchain accounts with other data sets such as open-source reporting or private threat data to identify related fraudulent activity. Cash App and PayPal are also useful data points because users must provide a lot of personal information including phone numbers, email addresses, usernames, and possibly bank accounts. And Zelle is tied to a bank account, making the information very useful to fraud investigators.

Typically, Steve is able to get at least one of these accounts from the threat actors he interacts with—in this case, we got three.

By claiming he didn’t have enough money in one of his accounts, and that another was not working, Steve got the scammers to send him links to multiple payment accounts. The accounts all had different usernames, suggesting they belonged to different people. In fact, Steve was able to link the usernames and phone numbers from the payment apps to three different people and their suspected real names. He found LinkedIn profiles; Twitter, Facebook, TikTok, Snap, and Instagram accounts; Poshmark accounts; dating profiles; a Soundcloud; and personal websites. By pivoting on this data and information provided on their various social and public profiles, Steve was then able to link the individuals to physical addresses in the eastern US.

Steve also sent the scammers Grabify links to see whether we could collect more data on the users. Grabify is used to identify technical characteristics belonging to a user, such as IP addresses, location data, and “user agents” that indicate what type of device they’re clicking from. In this case, one recipient clicked, and we could see they were using an iPhone on the AT&T network and were apparently located in Ohio, providing a possible estimate of where the user was when they clicked the link.

Based on the conversations with the people associated with the various phone numbers and payment accounts, Steve identified at least four individuals involved in this scam ring.

At least one person—Utzig’s original scammer—is the suspected organizer of the fraud, with at least one person who appears to work directly with him, according to Steve’s findings. After Steve received a message from the new, unknown number, he asked the original scammer who this person was. That phone number claimed it was a “business partner.” It had initially been possible there was one person using two different phone numbers involved in the scam. But based on subsequent investigations and conversations with both, Steve identified two likely separate individuals belonging to those numbers.

The “business partner” sent Steve a Cash App screenshot asking for payment that contained a username, which Steve found associated with multiple social media accounts that included photos. One appeared to have a real name attached.

When Steve said he didn’t have enough money in his Cash account, the business partner sent a link to a PayPal account, which used the apparent first and last name of a different real person. The real name and username were linked to multiple social media accounts that all used photos of what appeared to be the same person. Finally, Steve told the business partner his PayPal was not working, and received a name and phone number allegedly belonging to someone’s Zelle account. The business partner claimed this was an “assistant.” By using the details provided, Steve identified yet another individual and their apparent real name who appeared to reside in the same area as our scammers.

It is unclear whether the individuals belonging to the Zelle and PayPal accounts knew about the laptop scam or whether they were just “money mules.” These are accounts that receive money from victims and then funnel it to other accounts belonging to the original scammers. Sometimes money mules are unaware they are moving stolen money and may be unwitting participants in the fraud. Indeed, sometimes money mules are recruited by scammers under the guise of legitimate employment.

Our investigation resulted in us identifying three payment accounts that were at least associated with the laptop scam, dozens of social media profiles potentially belonging to people involved, and three phone numbers with two different area codes belonging to the same state. While this data could end up being useful to a law enforcement fraud investigation, Steve’s open source intelligence gathering serves as a stark reminder of how easily our digital footprints can be traced back to our real-life existence.

A Drop in the Bucket

Local police and the FBI all encourage users to report when they have been victims of online fraud, but victims rarely get the support they need. Utzig filed a police report with the Washington, DC, Metropolitan Police Department, and we reported it to the FBI via the bureau’s Internet Crime Complaint Center. He also contacted his bank and Apple. Unfortunately, using payment apps is the same as sending someone cash. At this point, there is really nothing more Utzig can do—and it’s likely his complaint will just become a drop in a sea of hundreds of thousands of internet crimes reported each year, many of which don’t get any follow-up.

We provided the police with details of our own investigation and reported high-confidence malicious payment accounts to the payment platforms to remove them for fraud. As private citizens, we’ve done all we can, but we hope our investigations can help prevent further exploitation by these threat actors.

While fraud takes place on pretty much every social media platform, Twitter appears to be hosting more hostile accounts now than it had been prior to the sale last year. And not just from scammers. The company fired much of its Trust and Safety staff in December 2022, and in June, Twitter’s recently appointed head of Trust and Safety exited the company. Without the personnel operating the technical guardrails to prevent widespread harassment, exploitation, and cybercrime, such tactics will likely be allowed to proliferate, making the platform less safe. All this as Musk wants Twitter (sorry, I’m not calling it X) to effectively become a financial institution, which requires more user trust than it has ever enjoyed.

Users should be aware of the hallmarks of fraudulent behavior on social media, like receiving messages from strangers, receiving offers to purchase goods and services, and being asked to switch platforms in the middle of a conversation. However, in Utzig’s case, the social platforms themselves could learn a thing or two. Without improvements in screen reading technology and accessibility in general, platforms are enabling exploitation of their more vulnerable users.

Working with my friend to help him report this crime also reminded me that security practitioners often forget there are real human beings on the receiving end of cybercrime, and the emotional and mental toll of being a victim can be huge.

“Billions of dollars in losses” sounds bad. Your friend losing a lot of their savings and feeling violated and betrayed by platforms and people he trusted feels a lot worse.

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist