• Thu. May 19th, 2022

Twitter Bots Impersonate Support Staff To Steal Your Cryptocurrency

ByJulie J. Helfer

Dec 7, 2021

Scammers monitor every tweet containing support requests on MetaMask, TrustWallet, and other popular crypto wallets, and respond to them with fraudulent links within seconds.

To carry out these targeted phishing attacks, scammers abuse Twitter APIs that allow them to monitor all public tweets for specific keywords or phrases.

If these phrases are present, these same programs will direct Twitter bots under the control of the scammer to automatically reply to tweets as fake support agents with links to scams that steal cryptocurrency wallets.

These attacks are not new and we reported them in May. However, these attacks have spread to other cryptocurrencies and scams continue to run rampant.

Therefore, we felt it was vital for our readers to review this attack and illustrate how it works, so that you don’t accidentally become a victim.

The Anatomy of the Twitter Crypto Scam

In tests conducted by BleepingComputer, tweets containing the words “support”, “help” or “assistance” as well as keywords such as “MetaMask”, “Phantom”, “Yoroi” and “Trust Wallet” will result in almost instantaneous. Twitter bots with fake forms or support accounts.

Other keywords have mixed results, such as wallet names and the word “stolen”.

Our first test of these scam cryptocurrency bots was to pack a tweet with lots of keywords and see what would happen.

We have next performed further tests to try to narrow down the keywords that would trigger responses from the bot.

Within seconds of posting our tests, we received responses from numerous fraudulent accounts claiming to be MetaMask and TrustWallet support accounts, “former victims” or helpful users.

All of the scammer’s responses share a common goal: to steal recovery phrases from a victim’s wallet, which attackers can then use to import the wallet to their own devices.

To steal recovery phrases (aka seed phrases), threat actors set up support forms on Google Docs and other cloud platforms.

These forms masquerade as a basic support form, asking the user for their email address, the problem they are having, and the recovery phrase for their wallet, as seen in the fake MetaMask support form below.

Fake MetaMask support form
Source: BleepingComputer

When asking for the recovery phrase, they include silly language about its processing by their “encrypted cloud bot”, which may try to convince the user to post the sensitive information.

Prompt the victim to enter their recovery phrase
Prompt the victim to enter their recovery phrase

Once the recovery phrase is sent to the attackers, it’s game over and they now have full access to the cryptocurrency in your wallet and can transfer it to other wallets under their control.

Before I say that no one falls for these scams, unfortunately, it’s wrong, and Twitter users have had their wallets, cryptocurrency, and NFTs stolen.

Twitter told BleepingComputer that using Twitter APIs to send spam is against the rules and that they are actively working on new methods to prevent such attacks.

“His against our rules use scam tactics on Twitter to obtain money or private financial information, including through automated activities. Our Developer Policy also strictly prohibits the use of the Twitter API and developer products to spam people,” a Twitter spokesperson explained.

“When we identify apps or accounts that violate these policies, we take appropriate action. enforcement measure. We are constantly adapting to the evolving methods of malicious actors and will continue to act quickly to combat cryptocurrency scams on the platform as they evolve. “

Never share recovery phrases!

As a general rule, you should never share your wallet recovery phrase with someone. The recovery phrase is for you only, and no legitimate support person from MetaMask, TrustWallet, or anywhere else will ever ask for it.

It’s also important to remember not to share your screen with an untrusted user who then asks you to view your recovery phrase. At this point, they can just take a screenshot and write it manually.

Ultimately, these attacks will continue unless Twitter finds a way to stop these bots from running rampant, restrict the use of specific keywords, or implement tighter controls on who can join their platform. – form of development.

Update 12/7/21: Added a statement from Twitter.