An Open Letter To Twitter: You’re Part Of The Problem
A promoted tweet from a verified account lured Twitter users to their doom by advertising a Coinbase Ethereum giveaway scam.
Update: The twitter handle @AICPA is now back in control of the original owner, the American Institute of CPAs. The following statement regarding the breach of security was made by @AICPA:
Initial Coverage:
Crypto scams are impossible to ignore. They seem to be lurking around every corner in the ecosystem. Whether phishing attempts take the form of SMS messages, fake websites, or account impersonating doppelgängers, chances are good someone has tried to fool you.
Twitter is one of the worse cases for scammers. Regardless of attempts to purge bots, or engage in greater policing, the prevalence of scams on the social media platform has reached epidemic proportions. As a prime example of this problem, today I saw a promoted tweet from a supposedly “Verified” account touting a fake Ethereum giveaway scam from someone attempting to impersonate Coinbase CEO Brian Armstrong.
Let’s consider this for a moment. To get a tweet promoted the individual behind the scam would have had to pay and send it to Twitter for approval. This means that someone decided to impersonate Coinbase CEO Brian Armstrong, and it wasn’t immediately caught by whoever is in charge of vetting the source of promoted tweets. That’s a big strike.
What’s more the tweet in question contains a link to a site that’s a phishing scam, (h[xx]p://cryptobtc[dot]club), and no one decided to go ahead and check it? It may be because the account trying to scam people is “Verified” but history has taught us that “Verified” by Twitter doesn’t necessarily mean anything. To anyone familiar with scams on Twitter, which I suppose ought to include people in charge of checking out promoted tweets, this cryptocurrency scam is a familiar sight:
The silver lining here is that by tracking the payment channels used to promote the tweet, it may be possible to figure out the identity of this scammer. At the very least those payment channels can be denied for any further purchases from Twitter.
It appears that over the course of generating my report on this scam, that the tweet in question has been taken down. I do not know whether this is from Twitter noticing the problem, or because the scammer is trying to avoid having their account audited. Another thing that remains unclear is how many people were exposed to the promoted tweet. For now no one appears to have fallen for the trap and sent any BTC to the address that was featured on the scam site, but that address may be rotating with others as we have seen in the past.
These types of incidents are what help to stoke the fires on stories of billionaire entrepreneur Elon Musk turning to Dogecoin creator Jackson Palmer to help with the Twitter scams. Musk is certainly no stranger to being impersonated to the point where one of his first publicly published acknowledgments of ETH was made in reference to scammers.
Now, whether or not you’re aware of it, MetaCert has been hard at work behind the scenes to prevent scammers from getting ahead of the game.
Cryptonite is just one of the tools that we’ve already built to fight against scams in the ecosystem. You can download Cryptonite right now for free. Cryptonite blocks phishing sites, and tells you immediately whether or not the Twitter account you’re looking at is trustworthy by displaying a green shield next to the handle of an account verified by the MetaCert Protocol. With this free tool, at a glance you can tell right away when there’s a scammer impersonating someone you follow.
We at MetaCert know that Cryponite is a great first step, but it’s not enough, so we’ve also built a tool, now coming out of stealth heading and into the Alpha phase of testing, that actively monitors and blocks accounts attempting to impersonate you. When the person trying to impersonate you is blocked that means they can’t reply to your tweets with their fake promotions, and by automating this process we think it will go a long way towards dampening the potency of Twitter scams.
One of the things that makes us passionate about what we do at MetaCert is the fact that we shelter individuals from risky links, malicious cryptocurrency addresses, and phishing scams. Chances are we’ve protected you already, because today our products keep over 1,000,000 users safe from malicious resources. This is something we’re proud of, that no other company can claim.
If you want to learn more about how MetaCert is protecting you, get involved and join our Telegram community, read up about our blockchain-based solution to the classification of web resources in our white paper and technical paper, and don’t forget to follow us @MetaCert on Twitter.
MetaCert Protocol is the best in the world at one thing — URL Classification.
MetaCert Protocol is decentralizing cybersecurity for the Internet, by defining ownership and URL classification information about domain names, applications, bots, crypto wallet addresses, social media accounts and APIs. The Protocol’s registry can be used by ISPs, routers, Wi-Fi hotspots, crypto wallets and exchanges, mobile devices, browsers and apps, to help address cyber threats such as phishing, malware, brand protection, child safety and news credibility. Think of MetaCert Protocol as the modern version of the outdated browser padlock and whois database combined.
