Who is behind the latest Elon Musk scam? (April 30, 2020)
On April 30, you may have come across the Elon Musk’s (?) tweets talking about a crypto party. This is not the first time a cybercriminal use Elon Musk’s name on such scams, but this one is quite interesting in the sense that it involves compromising a verified (blue tick) Twitter account, replies to President Trump, impersonating medium page, and BTC/ETH transfers. I researched who might be behind this short-lived scam and how much money that cybercriminals stole.
Elon Musk replied to comments made for Trump’s Twitter posts, really?
I was on Twitter looking for the world leaders’ tweets on Covid-19 on April 30. There, I noticed that Elon Musk replying to people who comment on President Trump’s shares on Twitter. Considering Musk’s supportive shares on re-opening the economy, I thought he might be replying to people who oppose Trump’s view on the subject. But something was obviously odd about these replies. They all had the same screenshot. Below are some examples of such replies.
Careful eyes can easily understand that this account does not really belong to Elon Musk. Especially the account name (calebgrimm) gives it away. However, the combination of the profile pic and the verified sign is quite convincing. Considering that the number of likes and RTs it gets is quite high (more than 800 less than an hour), many think that it is really Elon Musk. It was not only the profile pic and verified sign that convinced people, but it was also the image attached to the posts.
The advantage of using an image in a Twitter scam
There a couple of advantages using an image like this for Twitter scams. Some for creating illusion and some for overcoming Twitter controls against scams.
First of all, putting an image of a tweet in a tweet looks like retweeting a tweet with a quote. Second, you can manipulate the image and make it look like a genuine tweet. In this one, check out the account name (elonmusk), which is the original Twitter account name of Musk. You can put as many likes and RTs as you want. There is no date on the image as well (only the time). All these are deliberate choices designed by cybercriminals.
Last but not the least, putting the phishing URL inside the image will overcome link-controls of Twitter. The phishing site is www[.]spacex[.]sh. If this URL was inside the tweet as a clickable link, then Twitter could have tagged it as a suspicious link (thanks to crowdsourcing). It is not possible to do so for the links in the images.
Here, cybercriminals expect people to type the URL on their browser and visit the phishing site. The URL looks legit in the first look. It contains SpaceX, a company founded by Elon Musk, and it is followed by a TLD (.sh). This country-level TLS is not well known. It is for Saint Helena, Ascension and Tristan da Cunha (British Overseas Territories). I will provide more information about this phishing site in a moment. But first, let’s take a look whose Twitter account this is.
Whose Twitter account is this?
When I clicked on the Twitter account that sending scam posts, I could have seen that it belongs to Caleb Grimm, a musician from Nashville. He is basically another victim of this scam. The attackers target Grimm because he has a verified account. They compromised his account, changed the profile pic and username to impersonate Musk. Grimm may have clicked a link that he shouldn't have clicked in an e-mail (or in a DM) or he may have used a third-party app that requires permission to use his Twitter account. Whatever the reason, cybercriminals often targets verified Twitter accounts.
Grimm was able to claim back his account in a day, but it was enough time for criminals to lure people to their traps. Maybe because of Grimm’s quick action, scam lasted for a short time. It started and ended on the same day.
Layers of a phishing attack
When I visit the URL given in the image, I realized that it was a multi-layered scam and the Twitter part was just the first layer. The URL directs you to a website impersonating the Medium page (like the one you are currently reading).
Second layer: Medium page
You can see how this page is beautifully designed. Even so, there are a couple of things that hint that it is not an actual Medium page. Some of the buttons are not clickable:
- The clap button on the left — but, hey, the clap button on this article is certainly clickable, so please hit that button if you enjoy reading this :D.
- The Elon Musk name — I don’t think Musk has an official Medium account.
- The Follow button
But the rest is clickable and they direct you to the official and legitimate pages. For instance, the Sign-in button takes you to the Medium’s real Sign-in page.
Here, scammers want you to click on the links at the bottom of the page with a short convincing introduction. The claim is free BTC and ETH coins. Who doesn’t want it, right? But there is no “free lunch” in the world.
Before we dive into those links, take a look at the URL at the address bar. You can see the padlock icon. Padlock icon represents that the website is secure and it is certified. Getting an SSL certificate becomes easier in time not just for the public but also for the hackers. That’s why we have started to see more and more phishing sites with a padlock icon.
Third layer: cryptocoin giveaway pages
When I clicked on the first link on the page it directed me to a webpage where there was a payment address. Wait a second! If this is a giveaway, why I have to pay something. The attackers put a convincing sentence up there saying that they need to verify your BTC address. So, you have to pay 0.05 BTC to receive 5 BTC or 0.1 BTC to receive 10 BTC. That makes sense for victims of these attacks considering some e-commerce sites also work in the same way to verify your bank account.
The Etherium giveaway page was also the same except the verification amounts. Scammers ask for 1 ETH to receive 100 ETH. If you send 2 ETH, the reward(!) will double.
If you check the URL of these pages, you can easily notice that we are still in the same domain (spacex[.]sh). The padlock icon is still smiling us and giving the false sense of security.
The progress bar at the bottom shows how many BTC/ETH left in this crypto party. The source code of the page shows that the numbers on the bar are actually static and they never change. The bar serves a physiological purpose to hurry the victims to take action so that they will not notice it is a scam before it is too late. Before I show the results that hints the actors behind this scheme, let me talk about how much money attackers get from this short-lived scam.
Tracking BTC and ETH addresses
The owner of the BTC and ETH accounts are not visible to the public world so it is quite popular among cybercriminals. However, it is possible to see the balance of a BTC/ETH address for a period of time by using certain OSINT sites.
For BTC, I’ve checked the balance of the given BTC address. Here you can see that the number of transactions is five and the date of the first transaction is April 30, 2020, which is the date of the tweets. The page shows the number of total BTC received as 0.2 BTC and the number of output transactions is one. The current balance is zero. That means that hackers emptied the account on May 3, 2020 (date of the last transaction). On May 3, 0.2 BTC was equal to $1,781. It would not be reasonable to think that attackers would use only one BTC account. There might be some other BTC accounts used at different times for different scams.
The attackers seem to be luckier in ETH. When I checked the balance on ETH account, I can see that the attackers were using this ETH account for some time. This account was emptied on May 4. The total amount before then worth $4,396.
Whois can hint on who is behind the scam
I wrote a very detailed article about what can be learned from a phishing domain. The very first step in this type of research is to check the whois records. Sometimes these records are hidden or provide little information, sometimes it directly addresses who registered this domain. I was also lucky in whois search.
Whois records show that the phishing domain is created on April 30, 2020 (the date of the scam). It provides a name for the registrant and also and address (city and country). I wouldn’t explicitly say that this name is behind the scam or this is a scam executed by Russian hackers. The information on whois records might not always reflect the true information but it always gives hints.
The IP address used for the phishing domain is behind CloudFlare and it supports shared-IP hosting, i.e., multiple sites used the same IP address. According to SecurityTrails, there are more than 1,300 websites currently hosted on this IP address.
Even though the phishing domain spacex[.]sh returns status code 404 (Not Found) today, it can still be used later for a similar scam.
Conclusion
This is not the first time attackers hijack verified accounts to execute an Elon Musk scam. However, we can see that attackers increase their abilities to manipulate people with cascaded and more sophisticated attacks. The scam articulated in this article is a good example of the scammers' methodologies. In this one, they hijacked a verified account, lured people to a phishing domain with an image in a tweet, impersonated a Medium page with a phishing domain that is certified (https — padlock icon), and asked for a small number of cryptocoins for verification.
_________________
Thanks for reading. If you enjoyed this article, feel free to hit that clap button 👏 (more than once if you like) to help others find it.