A new phishing campaign is ongoing and targeting verified Twitter accounts with spam emails. These phishing emails bypassed Gmail's spam filters and targeted verified Twitter users.

What has been observed?

The phishing email urges Twitter users to update their profile details to avoid losing their verified status (the blue tick).
  • The malicious emails were sent majorly to users who displayed their email addresses in bio for business reasons.
  • In one case, the email arrived at the email address listed in the public Twitter bio instead of an email linked with a Twitter account. The email urged the user to click on an Update here button.
  • Hackers are reportedly harvesting the Twitter credentials of the targeted users.

How does it work?

The ‘Update here’ button in the email contains a link to a URL [https://www.cleancredit[.]in/wp-content/uploads/2021/12/index.html], which further redirects the user to another address [https://dublock[.]com/dublock/twitter/].
  • Both the URLs involved in the redirection chain are already compromised and abused by the attackers to host phishing pages.
  • After entering Twitter credentials at compromised websites, the user is urged to provide the 2FA code sent to them.
  • After obtaining the user's Twitter username, password, and 2FA code, the page redirects the user to the Twitter homepage.

Why people could fall for the scam?

Twitter's blue badge takedown corresponds with recent changes in the executive leadership of the tech firm, where the former CEO Jack Dorsey resigned and is now replaced with their CTO Parag Agrawal. Soon after that, Twitter removed the blue tick status from a number of accounts due to ineligibility to the norms of verified account status. Hackers are only leveraging this situation.


Cybercriminals are smartly taking advantage of real-life situations, such as Twitter removing the blue tick from notable accounts. They are fooling Twitter users with phishing emails laden with malicious links. Therefore, users should stay alert for phishing emails and should not blindly trust the sender or open links or attachments that come within them.

Cyware Publisher