Hackers were able to compromise Target’s Twitter account early this morning for use in a bitcoin scam that has been ramping up over the past few months.
This isn’t an isolated event, either. The scammers started by making fake accounts impersonating Elon Musk, an act that is against Twitter’s Terms of Service. The accounts would post scammy links under Musk’s tweets that asked users to send a small amount of bitcoin in order to receive a larger amount. It’s a confusing enough tactic that, according to TechCrunch, has been a profitable endeavor, making the hackers over $37,000 in cryptocurrency in just a few hours.
“Early this morning, Target’s Twitter account was inappropriately accessed. The access lasted for approximately half an hour and one fake tweet was posted during that time about a bitcoin scam,” Target said in a statement to The Verge. “We’re in close contact with Twitter, have deleted the tweet and have locked the account while we investigate further.”
In July, Twitter revved up its efforts to stop these scams by automatically locking unverified accounts that changed their display names to “Elon Musk.” It looks as though, to avoid having their accounts locked, the scammers have pivoted to hacking. By hacking verified accounts, they’re able to impersonate Musk without being locked out, and the scam is even more believable with the little blue checkmark next to the familiar name.
In Target’s case, the account was briefly hacked, and in that time, scammers were able to produce a tweet with the link that was then approved as an ad by Twitter. Screenshots have surfaced showing that the scammy tweet was “Promoted,” meaning that this obvious and well-known scam made it past the Twitter team that vets ads. Twitter hasn’t responded to a request for comment.
Target is only the latest example of this scam, and perhaps the one with the largest following. Other influential users, like Rep. Frank Pallone (D-NJ), also had their accounts hacked for use in this scam. Pallone’s campaign account was compromised just a day before the 2018 midterm elections. His account didn’t sponsor any ads, but others like Capgemini Australia, Pathé Films, and Pantheon Books had ads for this scam approved as well.
The scam could easily be combated by requiring verified users to secure their accounts with two-factor authentication, but as of right now, Twitter doesn’t require any users do so. Until then, it’s likely that these hacks will continue, and many more people will be tricked into handing over their cryptocurrency.
Updated 11/13/18 10:22 a.m.: Added a statement from Target