Gold Check X Account Takeover

Scams coming from verified accounts on various platforms is not a new thing under the sun. But it’s another level when, on X, instead of compromising a blue checkmarked individual’s account, hackers OR disgusting pajeet scammers compromise a gold checkmarked account for high profile businesses and organizations. Imagine being contacted by such an account — which is exactly what happened recently to another X user.

I am unsure what the original account was, but compromising a gold check account and renaming it to X Helps is something I feel a lot of people will fall for.

The message to @DonutOperator contains a phishing link to hxxp://journey-x-annoying[.]com/case. Let’s start analysis and see if we can take this down.

Analysis

VirusTotal gives a 6/94 community score: https://www.virustotal.com/gui/domain/journey-x-annoying.com

WHOIS lookup in the VT Details tab shows that the domain was created and registered yesterday on 19 January via Tucows Domain Registration.

URLScan shows the URL leads to an X “Copyright Infrigement” so-called alert:

But as with 90% of all phishing attempts, the tell is in the details. Most scammers and hackers are foreign and can never get English grammar or spelling right. You’d think they’d be smart enough to just use an online spell check. Or even an AI generated paragraph. Also, they utilize the urgency tactic to rush a naive user into submitting a form right away:

Copyright infringement [is] detected in your account. If you think [the] copyright infringement is incorrect(?), you should provide feedback on the form. If you can’t give feedback, [y]our account will be permanently deleted from our servers within 24 hours!

URLScan shows no malicious redirects. VirusTotal shows that it is served by 104.21.52.83 and 172.67.197.67. These are both Cloudflare servers.

I threw the URL into Any.run sandbox app and found that clicking the Next button on the initial splash page doesn’t bring down any malicious code. Just an X login page: https://app.any.run/tasks/e8fc7414-1e99-4b19-8887-3fac567cb356

Lastly, I did run dirbuster from a Kali instance in order to find additional web server directories hiding on that domain — but I found nothing. All resulted in 404 http status codes. Granted, the domain has been alive for long and maybe can still be used for additional staging or malware hosting in the future.

Conclusion

Infiltration of the actor behind this scam will take an actual chat with the user and sending my own phishing link.

Overall it is a very effective phishing method. Compromise X accounts via social engineering and then use that account to phish others. Not sure of the scammer’s end game. Maybe to get to a “big fish” account in order to extort the account owner of money to get it back? I’m not sure. In this instance, the scammer just overlayed the phishing page with a real X login page to mimick it. But in reality the hacker is capturing credentials in a MITM attack.

Compromising gold checkmark accounts is a very easy way to get to someone. Always check for weird URL domains and for incorrect grammar/spelling.