I often see pathetic attempts by cryptocurrency scammers replying to tweets from well-known members of the cryptocurrency space about some "give away" they are doing. They copy the entire profile of the person they are impersonating in an attempt to fool people into doing stupid things.
DO NOT GIVE ANYONE YOUR PRIVATE KEY.
Don't send them cryptocurrency hoping for some too-good-to-be-true event to happen in your favor.
Don't be stupid.
In the last two days I've been impersonated on Twitter more than a half dozen times. I only have ~3k Twitter followers and yet they think I'm a valuable targer. Go figure. Here are the accounts so far:
lukestcokes
lukestookes
lukesthokes
lukebastokes
lukestbokes
lukestoknes
lukestokhes
lukestkokes
And they keep on coming. They look just like my actual profile so they are doing some work to scrape it:
When I first saw this on my mobile, I was freaking out and they were linking out to known scam sites trying to steal people's cryptocurrency.
At first I thought, after 10+ years running a secure, PCI compliant system, I had finally had one of my accounts hacked. I jumped off my couch to get to my laptop and immediately changed my Twitter password and disabled all applications which had access to my Twitter account. After calming down a bit, I realized my account wasn't compromised and these were just look-a-likes impersonating me and trying to get people to visit a scam site.
If you're not sure what's a scam site and what's not, go install MetaMask and MetaCert's Cryptonite.
And yes, that is my real Twitter account, the same one tweeting about Bitcoin since 2013.
I kept reporting and blocking them.
That's when things got a little weird.
Twitter Teaches Phishing
I started getting emails telling me to upload a picture of my photo ID to this page:
That looks exactly like a bad phishing attempt. The domain isn't Twitter at all! It appears to be a Salesforce account for "twitterinc," but nothing about this page gives me any sense of security that I'm actually talking to Twitter! If someone asked me about this, I would think it's a scam for sure! Impersonate someone in an obvious way, then send them an email asking for their identity documents, then use those docuents to really steal their identity and/or get access to their accounts.
Scary stuff!
I tried to verify the domain is legit, and there isn't much out there to do that.
Spam404 (?) says I can trust it but nothing from Twitter?
I started to see a pattern when I replied to one of the emails and got a reply from Twitter support with the same case number (automated, of course).
I then checked the original view of the message to see it passed SPF, DKIM, and DMARC:
Those are methos of ensuring this email did actually come from the mail servers at Twitter.com. If you didn't know, email from addresses are very easy to fake, so don't trust the from address in an email you receive unless you can track the actual server details, it's been signed with PGP, or you have some other mechanism like SPF, DKIM, and DMARC.
Eventually, I had enough confidence to actually upload my ID and eventually got this email confirming it was legitimate:
That, and the account was removed.
So as amazing as it sounds, twitterinc.secure.force.com is apparently the real domain for uploading your secure documents to Twitter to get impersonation accounts deleted. I really hope they fix this and get an A record so they could do something like secureupload.twitter.com. Anything would be better than this. It teaches people to give over private information to sketchy-looking websites. That's not a good thing.
I talked to a friend of mine who works at Twitter via DM, but he didn't seem too concerned about it. I hope they realize this is a big deal in the cryptocurrency space because people are getting scammed daily.
If you want to follow the drama as it happened on Twitter, see this thread.
Stay safe people. Hackers are out to get you, and the only chance you have is to get educated and stay vigilant. Use tools like MetaMask and MetaCert's Cryptonite. Always double check the URL. Use a password manager like 1Password or Lastpass.
If you're in the cryptocurrency space, you're a target as we found out when they got our eosDAC YouTube channel removed. Only you can protect yourself when you are your own bank. I hope this page will help people in the future know what to do if they get impersonated on Twitter.
If you have any questions, please let me know, and I'll help if I can.
