45

I was just surprised to see this suspicious promoted tweet, asking me to send Bitcoins

Promoted tweet from Target

I added the hand-drawn red lines so I am not responsible for propagating the apparent scam.

Clicking on the user name seems to take me to the genuine Target page with the verified checkmark.

Clicking on the link to the tweet (i.e. "40m") gives me an error that the tweet no longer exists.

Clicking on the URL goes to a page that looks like the screenshot, and a list of transactions.

Is it fair for me to conclude: Target lost control of their Twitter account to an (internal or external) scammer, who is ripping off people who think they are having a give-away?

Is there another way their username could appear advertising a scam without access to their Twitter account credentials?

Oddthinking
  • 1,767
  • 3
  • 15
  • 17
  • 12
    Is the screenshot from twitter.com? Did you check that HTTPS was used? But yeah, it sure looks like someone abused their account. – Anders Nov 13 '18 at 11:49
  • 10
    Yes, it is from Twitter. Yes, it is https, and Chrome is happy with the certificate. – Oddthinking Nov 13 '18 at 11:56
  • 6
    Then indeed Target has had their Twitter account hacked. – forest Nov 13 '18 at 11:57
  • 6
    All that technical analysis and no mention of the atrocious grammar? I know that the art of writing well is quickly going the way of the dodo, but usually the PR folks manage to get it reasonably close. – FreeMan Nov 13 '18 at 20:47
  • 3
    @FreeMan: That the tweet was suspicious wasn't the question. I was going to go on social media in response to say "Hey look! I was almost scammed by Target" when I realised wasn't an authority on this, and it might be something else - e.g. *I* was running malware which was attacking my Twitter page, or it was a fake Twitter account that just looked like Target's, or... – Oddthinking Nov 14 '18 at 00:00
  • @Oddthinking sorry, wasn't meant to be a personal attack. I just found the grammar... lacking... – FreeMan Nov 14 '18 at 01:36
  • @FreeMan I totally agree. "Left Bitcoin" lol – Clonkex Nov 14 '18 at 06:23
  • 1
    Pretty terrible scam - along with the grammar, they are asking for a minimum transfer of $1200 and say they are going to give back up to $225K? Much more believable when the scam is more like "give us $5 to verify and we will send you $20." – JPhi1618 Nov 14 '18 at 18:17
  • The thing that amazes me is "send this much and you get 200% back!", clearly trying to encourage sending larger amounts, which contradicts the claim that sending BTC is only a way to verify an address (which, at least to someone who isn't familiar with it, might seem logical). – forest Nov 15 '18 at 09:32
  • I mean..... considering 5K bitcoins is about 35+ millions (at least in Canadian dollars, too lazy to do a conversion)... this feels like too big a giveaway for it to be publicized only in one tweet. – Patrice Nov 15 '18 at 13:51

2 Answers2

70

Yes, Target did have their account hacked. In fact, quite a lot of verified account holders have been hacked to further this scam. The scammers do this to impersonate other accounts, including Elon Musk's, by changing their name while retaining their verified status. In this case, it just looks like the scammer is using Target's account directly. This scam has made the hackers over $150,000.

The Elon Musk scam is the most well-known now, but it appears Target was caught as well.

forest
  • 64,616
  • 20
  • 206
  • 257
  • 1
    The Elon Musk scam link is broken for me – BallpointBen Nov 13 '18 at 21:30
  • @BallpointBen you may have a firewall blocking archive.fo - [here's the direct page](https://www.dailydot.com/debug/elon-musk-bitcoin-scam-verified-twitter-account/). –  Nov 13 '18 at 21:34
  • 21
    Is it just me, or does it seem to anyone else that Twitter could prevent this *really* easily just by disallowing name changes for verified accounts (except when manually reviewed)? – Wildcard Nov 14 '18 at 01:29
  • 4
    @Wildcard That wouldn't protect from the fact that the verified accounts themselves got hacked. So sure, you couldn't have a verified account impersonate Elon Musk, but if you hacked Target's account (as happened here), you can still use it to further the scam. – forest Nov 14 '18 at 03:23
  • 18
    @forest, right, but right now there's a security hole allowing so-called "verified" users to impersonate other verified users and appear as though they were verified to *be* those other users. (As in the Elon Musk impersonators.) This makes "verified" a meaningless attribute. – Wildcard Nov 14 '18 at 03:48
  • @forest Why use archive link when there is a direct working link? – Kolappan N Nov 14 '18 at 07:09
  • 1
    @KolappanNathan because it might not keep working in the future. – JAD Nov 14 '18 at 07:28
  • 8
    And by "hacked" do we just mean their password was guessed? – Lightness Races in Orbit Nov 14 '18 at 11:03
  • 3
    @LightnessRacesinOrbit I'm not sure if we know yet. Maybe guessed, maybe a spear phishing attack or other social engineering techniques were used... – forest Nov 14 '18 at 11:12
  • 4
    "This scam has made the hackers over $150,000." It still amazes me that in 2018 this kind of scam (send 1, receive 10) still works. – Michaël Polla Nov 14 '18 at 12:51
  • 4
    @MichaëlPolla: What irritates me most is the fact that there's obviously many people stupid enough to fall for it despite spelling both "Bitcoic" and "supoot" wrong and making a claim (having ceded Tesla CEO position) which without any doubt would have been on top of the news (but hasn't), along with a promise that exceeds Musk's estimated personal wealth by a factor of ca. 1000, all that on an account that is _at the first glance very, very obviously not_ Elon Musk's. I mean, for a Nigerian prince, bad spelling and bad math is OK, but... – Damon Nov 15 '18 at 09:27
  • 1
    @Damon People are just idiots. At least I'll always have a steady flow of income. – forest Nov 15 '18 at 09:31
31

Target has since confirmed my suspicion:

Hard Fork article

“Early this morning, Target’s Twitter account was inappropriately accessed” a company spokesperson told Hard Fork in an email. “The access lasted for approximately half an hour and one fake tweet was posted during that time about a Bitcoin scam.”

“We’re in close contact with Twitter, have deleted the tweet and have locked the account while we investigate further,” the retail giant further told Hard Fork. Unfortunately, the origin of the breach remains unclear.

Other reports of the incident include:

Community
  • 1
Oddthinking
  • 1,767
  • 3
  • 15
  • 17