Login
On April 9, Twitter/X began automatically modifying links that mention βtwitter.comβ to read βx.comβ instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links β such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.
The message displayed when one visits goodrtwitter.com, which Twitter/X displayed as goodrx.com in tweets and messages.
A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in βtwitter.com,β although research so far shows the majority of these domains have been registered βdefensivelyβ by private individuals to prevent the domains from being purchased by scammers.
Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, βAre you serious, X Corp?β
Update: It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in βtwitter.comβ to βx.com.β
Original story:
The same message is on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.
A number of these new domains including βtwitter.comβ appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was βacquired to prevent its use for malicious purposes,β along with a Twitter/X username.
The domain mentioned at the beginning of this story β fedetwitter.com β redirects users to the blog of a Japanese technology enthusiast. A user with the handle βamplest0eβ appears to have registered space-twitter.com, which Twitter/X users would see as the CEOβs βspace-x.com.β The domain βametwitter.comβ already redirects to the real americanexpress.com.
Some of the domains registered recently and ending in βtwitter.comβ currently do not resolve and contain no useful contact information in their registration records. Those include firefotwitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and webetwitter[.]com (webex.com).
The domain setwitter.com, which Twitter/X until very recently rendered as βsex.com,β redirects to this blog post warning about the recent changes and their potential use for phishing.
Sean McNee, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.
βBad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity β many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,β McNee said. βIt is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.β
The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeleyβs School of Information, summed up the Schadenfreude thusly:
βTwitter just doing a βredirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.comβ is not absolutely the funniest thing I could imagine but itβs high up there.β
What does a hacker want with your social media account? Plenty.Β
Hackers hijack social media accounts for several reasons. Theyβll dupe the victimβs friends and followers with scams. Theyβll flood feeds with misinformation. And theyβll steal all kinds of personal informationβnot to mention photos and chats in DMs. In all, a stolen social media account could lead to fraud, blackmail, and other crimes.Β
Yet you have a strong line of defense that can prevent it from happening to you: multi-factor authentication (MFA).Β
MFA goes by other names, such as two-factor authentication and two-step verification. Yet they all boost your account security in much the same way. They add an extra step or steps to the login process. Extra evidence to prove that you are, in fact, you. Itβs in addition to the usual username/password combination, thus the βmulti-factorβ in multi-factor authentication.Β Β
Examples of MFA include:Β
With MFA, a hacker needs more than just your username and password to weasel their way into your account. They need that extra piece of evidence required by the login process, which is something only you should have.Β
This stands as a good reminder that you should never give out the information you use in your security questionsβand to never share your one-time security codes with anyone. In fact, scammers cobble up all kinds of phishing scams to steal that information.Β
Major social media platforms offer MFA, although they might call it by other names. As youβll see, several platforms call it βtwo-factor authentication.βΒ Β
Given the way that interfaces and menus can vary and get updated over time, your best bet for setting up MFA on your social media accounts is to go right to the source. Social media platforms provide the latest step-by-step instructions in their help pages. A simple search for βmulti-factor authenticationβ and the name of your social media platform should readily turn up results.Β
For quick reference, you can find the appropriate help pages for some of the most popular platforms here:Β
Another important reminder is to check the URL of the site youβre on to ensure itβs legitimate. Scammers set up all kinds of phony login and account pages to steal your info. Phishing scams like those are a topic all on their own. A great way you can learn to spot them is by giving our Phishing Scam Protection Guide a quick read. Itβs part of our McAfee Safety Series, which covers a broad range of topics, from romance scams and digital privacy to online credit protection and ransomware.Β Β
In many ways, your social media account is an extension of yourself. It reflects your friendships, interests, likes, and conversations. Only you should have access to that. Putting MFA in place can help keep it that way.Β
More broadly, enabling MFA across every account that offers it is a smart security move as well. It places a major barrier in the way of would-be hackers who, somehow, in some way, have ended up with your username and password.Β
On the topic, ensure your social media accounts have strong, unique passwords in place. The one-two punch of strong, unique passwords and MFA will make hacking your account tougher still. Wondering what a strong, unique password looks like? Hereβs a hint: a password with eight characters is less secure than you might think. With a quick read, you can create strong, unique passwords that are tough to crack.Β
Lastly, consider using comprehensive online protection software if you arenβt already. In addition to securing your devices from hacks and attacks, it can help protect your privacy and identity across your travels onlineβboth on social media and off.Β Β Β
The post How to Protect Your Social Media Passwords from Hacks and Attacks appeared first on McAfee Blog.
Authored by: Vallabh Chole and Yerko Grbic
On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as βXβ. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms.Β
Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to βtwitter-xβ and βtwitter fundβ to promote scam links with new X branding.Β
Figure 1. Twitter-X-themedΒ YouTube Live Stream by scammerΒ
Β
Figure 2. Twitter X Crypto ScamΒ
Β
This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealingΒ malware as email attachments. When password stealer malware is executed, the influencerβs session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems.Β
Figure 3. Malware Flow ChartΒ Β
Β
After the influencerβs account has been compromised, the scammer starts to rename channels, in this case to βTwitter CEOβ and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as βThanks Mr.Elonβ. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.
Β McAfee+Β provides all-in-one online protection for yourΒ identity, privacy, and security. With McAfee+, youβll feel safer online because youβllΒ have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.
Figure 4. McAfee WebAdvisor detectionΒ
Β
Below is a detection heatmap for scam URLβs targeting twitter-x and promoting crypto scams.Β Β Β
Figure 5. Scam URL Detection HeatmapΒ
Β
Figure 6. Password stealer HeatmapΒ
Β
| Scam Siteβ―Β | Crypto Typeβ―Β | Walletβ―Β | Β |
| twitter-x[.]orgΒ | ETHβ―Β | 0xB1706fc3671115432eC9a997F802aC79CD7f378aΒ | Β |
| twitter-x[.]orgΒ | BTCβ―Β | 1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsugΒ | Β |
| twitter-x[.]orgΒ | USDTβ―Β | 0xB1706fc3671115432eC9a997F802aC79CD7f378aΒ | Β |
| twitter-x[.]orgΒ | DOGEβ―Β | DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9JΒ | Β |
Β
The post Scammers Follow the Rebranding of Twitter to X, to Distribute Malware appeared first on McAfee Blog.
Happy World Social Media Day! Todayβs a day about celebrating the life-long friendships youβve made thanks to social media. Social media was invented to help users meet new people with shared interests, stay in touch, and learn more about world. Facebook, Twitter, Instagram, Reddit, TikTok, LinkedIn, and the trailblazing MySpace have all certainly succeeded in those aims.Β
This is the first World Social Media Day where artificial intelligence (AI) joins the party. AI has existed in many forms for decades, but itβs only recently that AI-powered apps and tools are available in the pockets and homes of just about everyone. ChatGPT, Voice.ai, DALL-E, and others are certainly fun to play with and can even speed up your workday.Β Β
While scrolling through hilarious videos and commenting on your friendsβ life milestones are practically national pastimes, some people are making it their pastime to fill our favorite social media feeds with AI-generated content. Not all of it is malicious, but some AI-generated social media posts are scams.Β Β
Here are some examples of common AI-generated content that youβre likely to encounter on social media.Β
Have you scrolled through your video feed and come across voices that sound exactly like the current and former presidents? And are they playing video games together? Comic impersonators can be hilariously accurate with their copycatting, but the voice track to this video is spot on. This series of videos, created by TikToker Voretecks, uses AI voice generation to mimic presidential voices and pit them against each other to bring joy to their viewers.1 In this case, AI-generated voices are mostly harmless, since the videos are in jest. Context clues make it obvious that the presidents didnβt gather to hunt rogue machines together.Β
AI voice generation turns nefarious when itβs meant to trick people into thinking or acting a certain way. For example, an AI voiceover made it look like a candidate for Chicago mayor said something inflammatory that he never said.2 Fake news is likely to skyrocket with the fierce 2024 election on the horizon. Social media sites, especially Twitter, are an effective avenue for political saboteurs to spread their lies far and wide to discredit their opponent.Β
Finally, while it might not appear on your social media feed, scammers can use what you post on social media to impersonate your voice. According to McAfeeβs Beware the Artificial Imposters Report, a scammer requires only three seconds of audio to clone your voice. From there, the scammer may reach out to your loved ones with extremely realistic phone calls to steal money or sensitive personal information. The report also found that of the people who lost money to an AI voice scam, 36% said they lost between $500 and $3,000.Β
To keep your voice out of the hands of scammers, perhaps be more mindful of the videos or audio clips you post publicly. Also, consider having a secret safe word with your friends and family that would stump any would-be scammer.Β Β
Deepfake, or the alteration of an existing photo or video of a real person that shows them doing something that never happened, is another tactic used by social media comedians and fake news spreaders alike. In the case of the former, one company founded their entire business upon deepfake. The company is most famous for its deepfakes of Tom Cruise, though itβs evolved into impersonating other celebrities, generative AI research, and translation.3Β Β
When you see videos or images on social media that seem odd, look for a disclaimer β either on the post itself or in the posterβs bio β about whether the poster used deepfake technology to create the content. A responsible social media user will alert their audiences when the content they post is AI generated.Β Β
Again, deepfake and other AI-altered images become malicious when they cause social media viewers to think or act a certain way. Fake news outlets may portray a political candidate doing something embarrassing to sway voters. Or an AI-altered image of animals in need may tug at the heartstrings of social media users and cause them to donate to a fake fundraiser. Deepfake challenges the saying βseeing is believing.βΒ
ChatGPT is everyoneβs favorite creativity booster and taskmaster for any writing chore. It is also the new best friend of social media bot accounts. Present on just about every social media platform, bot accounts spread spam, fake news, and bolster follower numbers. Bot accounts used to be easy to spot because their posts were unoriginal and poorly written. Now, with the AI-assisted creativity and excellent sentence-level composition of ChatGPT, bot accounts are sounding a lot more realistic. And the humans managing those hundreds of bot accounts can now create content more quickly than if they were writing each post themselves.Β
In general, be wary when anyone you donβt know comments on one of your posts or reaches out to you via direct message. If someone says youβve won a prize but you donβt remember ever entering a contest, ignore it.Β
With the advent of mainstream AI, everyone should approach every social media post with skepticism. Be on the lookout for anything that seems amiss or too fantastical to be true. And before you share a news item with your following, conduct your own background research to assert that itβs true.Β
To protect or restore your identity should you fall for any social media scams, you can trust McAfee+. McAfee+ monitors your identity and credit to help you catch suspicious activity early. Also, you can feel secure in the $1 million in identity theft coverage and identity restoration services.Β
Social media is a fun way to pass the time, keep up with your friends, and learn something new. Donβt be afraid of AI on social media. Instead, laugh at the parodies, ignore and report the fake news, and enjoy social media confidently!Β
1Business Insider, βAI-generated audio of Joe Biden and Donald Trump trashtalking while gaming is taking over TikTokβΒ Β
2The Hill, βThe impending nightmare that AI poses for media, electionsβΒ
3Metaphysic, βCreate generative AI video that looks realβΒ
The post Be Mindful of These 3 AI Tricks on World Social Media Day appeared first on McAfee Blog.
Joseph James βPlugwalkJoeβ OβConnor, a 24-year-old from the United Kingdom who earned his 15 minutes of fame by participating in the July 2020 hack of Twitter, has been sentenced to five years in a U.S. prison. That may seem like harsh punishment for a brief and very public cyber joy ride. But OβConnor also pleaded guilty in a separate investigation involving a years-long spree of cyberstalking and cryptocurrency theft enabled by βSIM swapping,β a crime wherein fraudsters trick a mobile provider into diverting a customerβs phone calls and text messages to a device they control.
Joseph βPlugwalkJoeβ OβConnor, in a photo from a Globe Newswire press release Sept. 02, 2020, pitching OβConnor as a cryptocurrency expert and advisor.
On July 16, 2020 β the day after some of Twitterβs most recognizable and popular users had their accounts hacked and used to tweet out a bitcoin scam βΒ KrebsOnSecurity observed that several social media accounts tied to OβConnor appeared to have inside knowledge of the intrusion. That story also noted that thanks to COVID-19 lockdowns at the time, OβConnor was stuck on an indefinite vacation at a popular resort in Spain.
Not long after the Twitter hack, OβConnor was quoted in The New York Times denying any involvement. βI donβt care,β OβConnor told The Times. βThey can come arrest me. I would laugh at them. I havenβt done anything.β
Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, PlugwalkJoe demanded that his real name be kept out of future blog posts here. After he was told that couldnβt be promised, he remarked that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didnβt like.
OβConnor was still in Spain a year later when prosecutors in the Northern District of California charged him with conspiring to hack Twitter. At the same time, prosecutors in the Southern District of New York charged OβConnor with an impressive array of cyber offenses involving the exploitation of social media accounts, online extortion, cyberstalking, and the theft of cryptocurrency then valued at nearly USD $800,000.
In late April 2023, OβConnor was extradited from Spain to face charges in the United States. Two weeks later, he entered guilty pleas in both California and New York, admitting to all ten criminal charges levied against him. On June 23, OβConnor was sentenced to five years in prison.
PlugwalkJoe was part of a community that specialized in SIM-swapping victims to take over their online identities. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the targetβs text messages and phone calls to a device they control.
From there, the attackers can reset the password for any of the victimβs online accounts that allow password resets via SMS. SIM swapping also lets attackers intercept one-time passwords needed for SMS-based multi-factor authentication (MFA).
OβConnor admitted to conducting SIM swapping attacks to take control over financial accounts tied to several cryptocurrency executives in May 2019, and to stealing digital currency currently valued at more than $1.6 million.
PlugwalkJoe also copped to SIM-swapping his way into the Snapchat accounts of several female celebrities and threatening to release nude photos found on their phones.
Victims who refused to give up social media accounts or submit to extortion demands were often visited with βswatting attacks,β wherein OβConnor and others would falsely report a shooting or hostage situation in the hopes of tricking police into visiting potentially lethal force on a targetβs address.
Prosecutors said OβConnor even swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.
In the case of the Twitter hack, OβConnor pleaded guilty to conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and conspiracy to commit money laundering.
The account β@shinji,β a.k.a. βPlugWalkJoe,β tweeting a screenshot of Twitterβs internal tools interface, on July 15, 2020.
To resolve the case against him in New York, OβConnor pleaded guilty to conspiracy to commit computer intrusion, two counts of committing computer intrusions, making extortive communications, two counts of stalking, and making threatening communications.
In addition to the prison term, OβConnor was sentenced to three years of supervised release, and ordered to pay $794,012.64 in forfeiture.
To be clear, the Twitter hack of July 2020 did not involve SIM-swapping. Rather, Twitter said the intruders tricked a Twitter employee over the phone into providing access to internal tools.
Three others were charged along with OβConnor in the Twitter compromise. The alleged mastermind of the hack, then 17-year-old Graham Ivan Clarke from Tampa, Fla., pleaded guilty in 2021 and agreed to serve three years in prison, followed by three years probation.
This story is good reminder about the need to minimize your reliance on the mobile phone companies for securing your online identity. This means reducing the number of ways your life could be turned upside down if someone were to hijack your mobile phone number.
Most online services require users to validate a mobile phone number as part of setting up an account, but some services will let you remove your phone number after the fact. Those services that do you let you remove your phone number or disable SMS/phone calls for account recovery probably also offer more secure multi-factor authentication options, such as app-based one-time passwords and security keys. Check out 2fa.directory for a list of multi-factor options available across hundreds of popular sites and services.
Social networks are constantly battling inauthentic bot accounts that send direct messages to users promoting scam cryptocurrency investment platforms. What follows is an interview with a Russian hacker responsible for a series of aggressive crypto spam campaigns that recently prompted several large Mastodon communities to temporarily halt new registrations. According to the hacker, their spam software has been in private use until the last few weeks, when it was released as open source code.
Renaud Chaput is a freelance programmer working on modernizing and scaling the Mastodon project infrastructure β including joinmastodon.org, mastodon.online, and mastodon.social. Chaput said that on May 4, 2023, someone unleashed a spam torrent targeting users on these Mastodon communities via βprivate mentions,β a kind of direct messaging on the platform.
The messages said recipients had earned an investment credit at a cryptocurrency trading platform called moonxtrade[.]com. Chaput said the spammers used more than 1,500 Internet addresses across 400 providers to register new accounts, which then followed popular accounts on Mastodon and sent private mentions to the followers of those accounts.
Since then, the same spammers have used this method to advertise more than 100 different crypto investment-themed domains. Chaput said that at one point this month the volume of bot accounts being registered for the crypto spam campaign started overwhelming the servers that handle new signups at Mastodon.social.
βWe suddenly went from like three registrations per minute to 900 a minute,β Chaput said. βThere was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.β
One of the crypto investment scam messages promoted in the spam campaigns on Mastodon this month.
Seeking to gain a temporary handle on the spam wave, Chaput said he briefly disabled new account registrations on mastodon.social and mastondon.online. Shortly after that, those same servers came under a sustained distributed denial-of-service (DDoS) attack.
Chaput said whoever was behind the DDoS was definitely not using point-and-click DDoS tools, like a booter or stresser service.
βThis was three hours non-stop, 200,000 to 400,000 requests per second,β Chaput said of the DDoS. βAt first, they were targeting one path, and when we blocked that they started to randomize things. Over three hours the attack evolved several times.β
Chaput says the spam waves have died down since they retrofitted mastodon.social with a CAPTCHA, those squiggly letter and number combinations designed to stymie automated account creation tools. But heβs worried that other Mastodon instances may not be as well-staffed and might be easy prey for these spammers.
βWe donβt know if this is the work of one person, or if this is [related to] software or services being sold to others,β Chaput told KrebsOnSecurity. βWeβre really impressed by the scale of it β using hundreds of domains and thousands of Microsoft email addresses.β
Chaput said a review of their logs indicates many of the newly registered Mastodon spam accounts were registered using the same 0auth credentials, and that a domain common to those credentials was quot[.]pw.
The domain quot[.]pw has been registered and abandoned by several parties since 2014, but the most recent registration data available through DomainTools.com shows it was registered in March 2020 to someone in Krasnodar, Russia with the email address edgard011012@gmail.com.
This email address is also connected to accounts on several Russian cybercrime forums, including β__edman__,β who had a history of selling βlogsβ β large amounts of data stolen from many bot-infected computers β as well as giving away access to hacked Internet of Things (IoT) devices.
In September 2018, a user by the name βΡΠΈΠΏΠ°β (phonetically βZipperβ in Russian) registered on the Russian hacking forum Lolzteam using the edgard0111012@gmail.com address. In May 2020, Zipper told another Lolzteam member that quot[.]pw was their domain. That user advertised a service called βQuot Projectβ which said they could be hired to write programming scripts in Python and C++.
βI make Telegram bots and other rubbish cheaply,β reads one February 2020 sales thread from Zipper.
Quotpw/Ahick/Edgard/ΡΠΈΠΏΠ° advertising his coding services in this Google-translated forum posting.
Clicking the βopen chat in Telegramβ button on Zipperβs Lolzteam profile page launched a Telegram instant message chat window where the user Quotpw responded almost immediately. Asked if they were aware their domain was being used to manage a spam botnet that was pelting Mastodon instances with crypto scam spam, Quotpw confirmed the spam was powered by their software.
βIt was made for a limited circle of people,β Quotpw said, noting that they recently released the bot software as open source on GitHub.
Quotpw went on to say the spam botnet was powered by well more than the hundreds of IP addresses tracked by Chaput, and that these systems were mostly residential proxies. A residential proxy generally refers to a computer or mobile device running some type of software that enables the system to be used as a pass-through for Internet traffic from others.
Very often, this proxy software is installed surreptitiously, such as through a βFree VPNβ service or mobile app. Residential proxies also can refer to households protected by compromised home routers running factory-default credentials or outdated firmware.
Quotpw maintains they have earned more than $2,000 sending roughly 100,000 private mentions to users of different Mastodon communities over the past few weeks. Quotpw said their conversion rate for the same bot-powered direct message spam on Twitter is usually much higher and more profitable, although they conceded that recent adjustments to Twitterβs anti-bot CAPTCHA have put a crimp in their Twitter earnings.
βMy partners (Iβm programmer) lost time and money while ArkoseLabs (funcaptcha) introduced new precautions on Twitter,β Quotpw wrote in a Telegram reply. βOn Twitter, more spam and crypto scam.β
Asked whether they felt at all conflicted about spamming people with invitations to cryptocurrency scams, Quotpw said in their hometown βthey pay more for such work than in βwhiteβ jobsβ β referring to legitimate programming jobs that donβt involve malware, botnets, spams and scams.
βConsider salaries in Russia,β Quotpw said. βAny spam is made for profit and brings illegal money to spammers.β
Shortly after edgard011012@gmail.com registered quot[.]pw, the WHOIS registration records for the domain were changed again, to msr-sergey2015@yandex.ru, and to a phone number in Austria: +43.6607003748.
Constella Intelligence, a company that tracks breached data, finds that the address msr-sergey2015@yandex.ru has been associated with accounts at the mobile app site aptoide.com (user: CoolappsforAndroid) and vimeworld.ru that were created from different Internet addresses in Vienna, Austria.
A search in Skype on that Austrian phone number shows it belongs to a Sergey Proshutinskiy who lists his location as Vienna, Austria. The very first result that comes up when one searches that unusual name in Google is a LinkedIn profile for a Sergey Proshutinskiy from Vienna, Austria.
Proshutinskiyβs LinkedIn profile says he is a Class of 2024 student at TGM, which is a state-owned, technical and engineering school in Austria. His resume also says he is a data science intern at Mondi Group, an Austrian manufacturer of sustainable packaging and paper.
Mr. Proshutinskiy did not respond to requests for comment.
Quotpw denied being Sergey, and said Sergey was a friend who registered the domain as a birthday present and favor last year.
βInitially, I bought it for 300 rubles,β Quotpw explained. βThe extension cost 1300 rubles (expensive). I waited until it expired and forgot to buy it. After that, a friend (Sergey) bought [the] domain and transferred access rights to me.β
βHeβs not even an information security specialist,β Quotpw said of Sergey. βMy friends do not belong to this field. None of my friends are engaged in scams or other black [hat] activities.β
It may seem unlikely that someone would go to all this trouble to spam Mastodon users over several weeks using an impressive number of resources β all for just $2,000 in profit. But it is likely that whoever is actually running the various crypto scam platforms advertised by Quotpwβs spam messages pays handsomely for any investments generated by their spam.
According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.
Update, May 25, 10:30 a.m.:Β Corrected attribution of the Austrian school TGM.
Itβs no secret that when it comes to social networks, teen preferences can change dramatically from year to year. That holds with Twitter. Even though the social network has seen a dip in use overall, Twitter has proven its staying power among certain communities, and that includes teens. Β
According to a 2022 Pew Center Study, 23 percent of teens online use Twitter (down from 33 percent in 2014-15). Because of Twitterβs loyal fanbase, itβs important for tweeting teens as well as parents, and caregivers to understand how to engage safely on the fast-moving platform.Β Β Β
Many teens love the public aspect of Twitter. They see it as a fun place to connect with friends and stay up to date on sports, school news, memes, online trends and challenges, and popular culture. However, because the platformβs brief, 140β280-word format is so distinct from other popular networks such as TikTok, YouTube, and Snapchat, the online etiquette and ground rules for engagement are also distinct.Β
As fun as Twitter content is to share and consume, the platform still comes with hidden risks (as do all social networks).Β Β
Hereβs a guide to help your family understand safe Twitter use and still have fun on this unique social network.Β Β
This is likely one of the most important phrases you can convey to your child when it comes to using Twitter. Every word shared online can have positive or negative repercussions. Twitterβs fast-moving, ticker-like feed can tempt users to underestimate the impact of an impulsive, emotionally charged tweet. Wordsβdigital words especiallyβcan cause harm to the reputation of the person tweeting or to others.Β Β
For this reason, consider advising your kids to be extra careful when sharing their thoughts or opinions, retweeting others, or responding to othersβ tweets. We all know too well that content shared carelessly or recklessly online can affect future college or career opportunities for years to come.Β Β
Thereβs little more important these days than protecting your familyβs privacy. Every online risk can be traced to underestimating the magnitude of this single issue.Β Β
Itβs never too early or too late to put the right tools in place to protect your familyβs privacy online. While Twitter has privacy and reporting features designed to protect users, itβs wise to add a comprehensive identity and privacy protection solution to protect your familyβs devices and networks.
Kids get comfortable with their online communities. This feeling of inclusion and belonging can lead to oversharing personal details. Discuss the importance of keeping personal details private online reminding your kids to never share their full name, address, phone number, or other identity or location-revealing details. This includes discerning posting photos that could include signage, school or workplace logos, and addresses. In addition, advise family members not to give away data just because thereβs a blank. Itβs wise to only share your birthday month and day and keep your birth year private.Β Β
When is the last time you reviewed social media account settings with your child? Itβs possible that, over time, your child may have eased up on their settings. Privacy settings on Twitter are easy to understand and put in place. Your childβ can control their discoverability, set an account to be public or private, and protect their tweets from public search. Itβs easy to filter out unwanted messages, limit messages from people you donβt follow, and limit who can see your Tweets or tag you in photos. Itβs also possible to filter the topics you see.Β Β
Respecting others is foundational to engaging on any social network. This includes honoring the beliefs, cultures, traditions, opinions, and choices of others. Cyberbullying plays out in many ways on Twitter and one of those ways is by subtweeting. This vague form of posting is a form of digital gossip. Subtweeting is when one Twitter user posts a mocking or critical tweet that alludes to another Twitter user without directly mentioning their name. It can be cruel and harmful. Discuss the dangers of subtweeting along with the concept of empathy. Also, encourage your child to access the platformβs social media guidelines and know how to unfollow, block, and report cyberbullies on Twitter.Β Β Β
Maintaining a strong parent-child bond is essential to your childβs mental health and the first building block of establishing strong online habits. Has your childβs mood suddenly changed? Are they incessantly looking at their phone? Have their grades slipped? An online conflict, a risky situation, or some type of bullying may be the cause. You donβt have to hover over your childβs social feeds every day, but itβs important to stay involved in their daily life to support their mental health. If you do monitor their social networks, be sure to check the tone and intent of comments, captions, and replies. You will know bullying and subtweeting when you see it.Β
We love to quote Spidermanβs uncle Ben Parker and remind families that βwith great power comes great responsibilityβ because it sums up technology ownership and social media engagement perfectly. The more time kids spend online, the more comfortable they can become and the more lapses in judgment can occur. Consider discussing (and repeating often) that social media isnβt a right, itβs a privilege that carries responsibility and consequences.Β Β
The FBI estimates there are approximately 500,000 predators active online each day and that they all have multiple profiles. Anonymous, catfish, and fake accounts abound online wooing even the savviest digital native into an unsafe situation. Engaging on any social network can expose kids to a wide array of possible dangers including scammers, catfishes, and predators. Scams and predator tactics continue to get more sophisticated. For this reason, itβs important to candidly talk about online predator awareness and the ever-evolving tactics bad actors will go to deceive minors online.
Β
Twitter continues to attract tweens and teens who appreciate its brevity and breaking news. While navigating online safety and social media can be daunting for parents, itβs critical to stay engaged with your child and understand their digital life. By establishing an open flow of communication and regularly discussing privacy and appropriate online behavior, you can create a culture of openness in your family around important issues. Weβre rooting for you!Β Β
The post How to Protect Your Familyβs Privacy on Twitter: A Guide for Parents and Kids appeared first on McAfee Blog.
FreshRSS 