In addition to Telegram groups selling accounts, there are websites specifically dedicated to selling Twitter accounts. These websites offer accounts from different years and support the purchase of fake accounts that closely resemble specific genuine accounts, such as "Optimlzm" resembling the genuine account "Optimism." These websites also accept cryptocurrency as payment.

2. After acquiring ready-made accounts, phishing groups use promotional tools to buy followers and engagement to increase the credibility of the accounts.

These promotional tools also support payment in cryptocurrency and offer services such as likes, retweets, and increasing follower count for mainstream social media platforms. Buyers simply input the link to be promoted and their desired quantity to make a purchase.

According to customer service representatives of these platforms, they have processed over 1.3 million orders, with over 20,000 users having utilized their services.

Following the completion of the aforementioned preparations, phishing groups possess a Twitter account with a sufficient number of posts and followers. They then mimic the information within this account to replicate the content of the project's official account. As a result, for some individuals, distinguishing between these two accounts becomes challenging. Subsequently, phishing groups proceed to execute the crucial steps of phishing.

• Phishing groups' automated bots track and follow the updates of well-known project accounts.
• Upon the release of a tweet by the project, these bots automatically leave comments to ensure occupying the first position in the comment section, thereby attracting more attention and engagement.
• As users are browsing posts genuinely published by the project, and the phishing group's account is disguised to closely resemble the project's account, users may lower their guard. Clicking on links sent by the disguised phishing account under the guise of airdrops and other similar offers, and subsequently authorizing and signing, can lead to asset loss.

Case Example

On January 12th, the official Twitter account of Optimism posted a tweet, and the first comment under this tweet was posted by a phishing group. This comment garnered significant interaction and included a link to the official website. However, the link in the text portion of the comment was a phishing link.

Phishing groups exploit Twitter's name change mechanism, whereby users can modify their display names but not their unique identifiers on Twitter, i.e., their usernames, typically prefixed with the "@" symbol. The display name of the fake account was changed to match that of the official account, both named "Optimism." However, upon closer inspection, slight discrepancies were evident between the username of the imitation account and that of the official account. The fake account replaced the "is" in the official account's username with "lz."

MistTrack Analysis

Using the on-chain tracking tool MistTrack to query the address 0xd02c75102ed941b26e318c0896c5b5aeb4ddc965 associated with the sale of Twitter accounts on Telegram, we found that addresses sending funds to this address were all flagged by MistTrack as malicious addresses associated with phishing, theft, and other malicious activities. Double-clicking on these addresses led to the discovery of even more malicious addresses, highlighting the extensive nature of this black market.

Countermeasures

1、To optimize anti-phishing plugins, it is essential to focus on the primary methods of NFT phishing in the blockchain industry. It is understood that 90% of NFT phishing is related to fake domains. Therefore, real-time tracking of phishing fake domains and alerting users is crucial. For example, when a user opens a phishing page, relevant plugins or browsers should immediately prompt the risk. This way, users can be aware of the risk before signing authorization, effectively preventing subsequent fraudulent activities and eliminating risks at the inception stage.

2、Another crucial security feature is the "what you see is what you sign" and interactive security recognition functions of wallets. If a wallet has a signature recognition function, it should be able to clearly display detailed information about what the user is about to sign, such as authorization content, amount, recipient, and other human-readable data. This way, users can clearly understand the details of the authorization, establish the last line of defense, and prevent users from falling into traps at the last minute.

3、Finally, establishing personal security awareness is crucial. Although products, articles, and reminders can provide assistance, the key is to cultivate one's own security awareness. Before clicking on links, authorizing, or signing, it is essential to double-check. Only through constant self-awareness can one stay away from asset losses and the troubles of being deceived.

Development Contacts