SlickRockWeb 🇺🇲🇺🇦 Profile picture
CEO of SlickRockWeb, SEO guy & part time citizen journalist. A numbers cruncher, problem solver, and now @DFRLab trained Digital Sherlock #infoSec #infoOps

Nov 1, 2022, 11 tweets

BREAKING: There are at least 2 separate hacking campaigns going on & focusing in on the #Twitter blue checkmark verification process. One appears to be #phishing based and another far more nefarious .. and possibly a state actor using Twitter DMs. More shortly. Be alert #infosec

All political candidates running & in office are typically Twitter verified (blue checkmark). Most major journalists are as well. This is a HUGE target 4 a #cyberattack by a nation state actor. This campaign which is still under the radar is very worrisome

Liz @lizthegrey has done greaat work on this. Its not clear how widespread this is but it has some very concerning network indicators. And its significantly more sophisticated than the phishing email that is going around. #infosec #phishing #cybersecurity #malware #Election2022

We are now 8 days away from a MAJOR midterm election in the US with huge geopolitical implications. A number of Twitter verified accnts already admit they fell 4 one of these campaigns recently. This second found by @lizthegrey appears like a Twitter notification #infosec #OSINT

Here is where it gets really concerning @lizthegrey identified the chain and it includes the IP 45.8.144[.]163 from Stark Industries ... many of you will recognize them from past campaigns. Using the fantastic @PassiveTotal #OSINT tool you can peel back the onion back to Russia

There are numerous domains (fake regs) involved that appear to be cycling through to new ones ... once one is caught. Best as we can tell none of the @/CaseNumber[0-9]{5} accounts on Twitter have been suspended. startappealoctober[.]com
newappealstart[.]com
submitnewappeal[.]com

Again using the fantastic @PassiveTotal from @RiskIQ one can pivot off of the IP address & find the full list of newly registered (all fake registrations) domains created in the past week ..all likely to be pivoted to once a prior domain is discovered and blocked. #OSINT #infosec

Right after the 2020 election (in the heat of the #BigLie) the malign EOP campaign put out a hit list on people like CISA @C_C_Krebs. It has very similar network indicators to what we are seeing with this. Be alert & someone way smarter needs to look into this #infosec #osint

Thank you @twitter for taking quick action and taking these accounts down ... @CaseNumber01347 @CaseNumber01300 @CaseNumber01629 @CaseNumber01438 @CaseNumber01382 @CaseNumber01366 ect...

It was a mistake to lead this thread with the sophomoric Gmail #phishing campaign ... because apparently no one reads past the 1st tweet. Anyway I had a chance to speak to someone who fell victim to the 2nd more sophisticated campaign in my thread. Here is what they described.

The FBI identified Iranian hackers as the one behind EOP (Enemies of the People) op shortly after Nov 2020 elections. Like we say in this thread there are ALOT of similarities in this current Twitter verification scheme (the non-gmail one) #infosec #osint thedailybeast.com/iran-behind-en…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling