Elon Musk’s tweets piss me off for two reasons.
When he’s not accusing actual heroes of sex crimes or trolling the federal government, it’s what comes after that drives me batshit. The top reply to most of his tweets is some asshat impersonating him to try to trick his followers into falling for a bitcoin scam.
These “get rich quick” scams are fairly simple. A hacker hijacks a verified Twitter account using stolen or leaked passwords. Then, the hacker swaps the account’s name, bio and photo — almost always to mirror Elon Musk — and drops a reply with “here’s where to send your bitcoin,” or something similar.
The end result appears as though Musk is responding to his own tweet, and nudging hapless bitcoin owners to drop their coins into the scammer’s coffers.
One of the latest “victims” was @FarahMenswear. The clothing retailer — with some 15,500 followers — was hacked this morning to promote a “bitcoin giveaway.” In the short time the scam began, the bitcoin address already had more than 100 transactions and over 5.84 bitcoins — that’s $37,000 in just a few hours’ work. Many Twitter users said that the scammers “promoted” the tweet — amplifying the scam to reach many more people.
On one hand, this scam is depressingly easy to pull off that even I could’ve done it. Depressing on the other, because that’s half a year’s wages for the average reporter.
Still, that $37,000 is a drop in the ocean to some of the other successful scam artists out there. One scammer last week, this time using @PantheonBooks, made $180,000 in a single day by tricking people into turning over their bitcoin and promising great returns.
Why is the scam so easy?
Granted, it’s clever. But it’s a widespread problem that can be largely attributed to Twitter’s nonchalant, “laissez-faire” approach to account security.
The common thread to all of these cryptocurrency scams involve hijacking accounts. Often, hackers use credential stuffing — that’s using the same passwords stolen from other breaches on other sites and services — to break into Twitter accounts. In nearly all successful cases, the hacked Twitter accounts aren’t protected with two-factor authentication. Brand accounts shared by multiple social media users almost never use two-factor, because it’s hard to share access tokens.
A Twitter spokesperson said it’s improved how it handles cryptocurrency scams and has seen a significant reduction in the amount of users who see scammy tweets. The company also said that scammers are constantly changing their methods, and Twitter is trying to stay one step ahead. In many cases, these scams are nuked from the site before they’re even reported.
And, Twitter said it regularly reminds account owners to switch on stronger security settings, like two-factor authentication.
Well, enough’s enough, Twitter. You can lead a horse to water but you can’t make it drink. So maybe it’s about time you bring the water a little closer.
Until something better comes along, Twitter should make two-factor authentication mandatory for verified accounts, especially high-profile accounts — like politicians. It’s no more of an inconvenience than switching on two-factor for your email inbox or other social networking account. The settings are already there — it even rolled out the more secure app-based authentication a year ago to give users the option of switching from the less-secure text message system.
If the only other option is to stop Elon Musk from tweeting…