New Phishing Attack Hijacks High-Profile X Accounts to Promote Scam Sites

A new wave of phishing attacks has been identified, targeting high-profile accounts on the social media platform X (formerly Twitter).

This campaign, analyzed by SentinelLABS, aims to hijack accounts belonging to prominent individuals and organizations, including U.S. political figures, international journalists, employees of X, and cryptocurrency entities.

The compromised accounts are then exploited to promote fraudulent cryptocurrency schemes, amplifying the attackers’ reach and financial gains.

The campaign employs a variety of phishing techniques to deceive users into revealing their credentials.

Common lures include fake account login notifications and copyright violation alerts.

These messages often contain malicious links redirecting victims to phishing websites designed to harvest login information.

Notably, attackers have utilized Google’s AMP Cache domain to bypass email security filters and direct users to deceptive pages.

Once an account is compromised, the legitimate owner is locked out, and the account is used to post scam content or links targeting additional victims.

Infrastructure and Techniques Reveal Adaptability

The infrastructure supporting this campaign demonstrates significant flexibility and adaptability.

Domains such as “securelogins-x[.]com” and “x-recoverysupport[.]com” have been identified as hosting phishing pages, while email delivery is facilitated through related domains.

Much of the activity traces back to an IP address associated with a Belize-based VPS service provider, with domain registrations linked to a Turkish hosting provider.

These findings indicate a loosely organized yet effective operational model.

Interestingly, some phishing sites leverage FASTPANEL, a legitimate website hosting service known for its ease of use and scalability.

While not inherently malicious, FASTPANEL’s features make it attractive for cybercriminals seeking rapid deployment of phishing campaigns.

Domains like “buy-tanai[.]com” serve as placeholders for future attacks, with content that can be quickly updated to align with ongoing schemes.

Historical Connections

The campaign’s scope extends beyond X accounts, with similar tactics observed on other platforms like Telegram.

Recent incidents include the compromise of the Tor Project’s official X account and DAWN’s social media presence.

These breaches were used to lure victims into phishing traps targeting cryptocurrency enthusiasts.

Additionally, historical analysis reveals connections to past attacks on high-profile accounts, such as the 2024 compromise of Linus Tech Tips’ X account.

The attackers’ financial motives are evident in their promotion of fraudulent cryptocurrency projects.

For instance, domains like “buy-tanai[.]com” have been linked to pump-and-dump schemes involving tokens like TANA AI.

These scams exploit the volatile nature of cryptocurrency markets to generate quick profits at the expense of unsuspecting investors.

To protect against such threats, users are advised to adopt strong security practices, including enabling two-factor authentication (2FA), using unique passwords, and avoiding interactions with unsolicited links.

Verifying URLs before clicking and initiating password resets directly through official platforms can further reduce risks.

Organizations should also invest in advanced threat detection systems to identify and mitigate phishing attempts proactively.

According to the SentinelLABS Report, this campaign underscores the evolving tactics of cybercriminals in leveraging social media platforms for financial exploitation.

As attackers continue to refine their methods, vigilance remains critical in safeguarding digital identities and assets from compromise.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.