Gold-verified accounts on X (formerly Twitter) are increasingly showing up in the social media sales sections of dark web forums and marketplaces, according to a study by Cloudsek.
The surge has to do with X’s new paid verification model, which has made verified accounts more valuable.
The old “Twitter Blue” program assigned blue ticks to verified accounts, without charging a fee. After Elon Musk bought Twitter in October 2022 and changed its name to X, he introduced a new model. Personal accounts can still get a blue tick if they pay an $8 monthly fee, but there’s no identity verification. Organizations, on the other hand, can pay $200/month to get their accounts verified. Businesses get a gold tick once X approves their account, while government entities get a grey one.
Beyond the dark web, Cloudsek saw advertisements selling X gold accounts on Telegram, indicating malicious campaigns are using these accounts on a large scale. Buyers can use these gold accounts to spread disinformation, job scams, and crypto scams, or lead people to phishing websites to harvest their credentials and PII (personally identifiable information).For instance, the research team at CloudSek was able to identify gold-verified corporate X accounts posting links to malicious sites similar to the company’s real domain name but in a different top level domain (TLD).
“The advertisements on the dark web can be traced back to multiple online shops and their marketing partners, such as Facebook, Telegram, etc.,” said CloudSek in a report. “Some X account providers have hosted their shops successfully for over four years and used the same medium to advertise Twitter Gold accounts.”
CloudSek was able to locate some of these advertisements by running basic searches on Google, Facebook or Telegram. By simply searching for the keywords “Twitter Gold buy” it was able to retrieve dark web advertisements marketed through Facebook, it said.
The advertisements selling X Gold accounts were priced based on the value of the account in terms of recognition and reach. “A set of advertisements openly mentioned the companies that were offered for sale, and depending on the brand and followers of this account, the accounts with a gold badge ranged from $1200 to $2000,” CloudSek said in the report.
A CloudSek source on the Dark web was able to get a quote for 15 inactive X accounts at $35 per account. The seller also offered to sell 15 such accounts every week, bringing the tally to 720 accounts yearly. All these accounts would further have to be “gold” activated by the purchaser should they want to.
Campaigns target dormant X accounts
The most common targets of the sellers of gold X accounts are organizational accounts that have remained dormant since before 2022. One of the techniques they try is to brute force the credentials of these accounts using credential stuffing tools like Open Bullet, SilverBullet, and SentryMBA. Once a complete account takeover is done through changing recovery email and contact details, the thieves pay to convert the account to gold status, and put it up for sale.
Another method the sellers use is to gather X logins using information stealer malware. These credentials are then validated using configs and brute force methods. The hacked accounts, in either case, are first put up for sale, and then converted to gold depending on the buyers’ needs.
While the latter takeover technique is easier to implement due to the abundance of logs from popular malware, the former requires some technical sophistication, according to the report. However, buyers prefer accounts hacked using the former method as it guarantees exclusivity, unlike publicly available malware-infected accounts. Closing the accounts that have been dormant for an extended time period and implementing best password protection practices after suspicion of a credential theft are the two effective mitigation techniques recommended by CloudSek to secure against these gold thieves.