New phishing attacks shame, scare victims into surrendering Twitter, Discord credentials

A recent wave of social media phishing schemes doubles down on aggressive scare tactics with phony account-abuse accusations to coerce victims into handing over their login details.

Last week alone, Malwarebytes Labs uncovered two phishing scams, targeting Twitter and Discord (a voice, video, and text chat app). The Twitter phishing scam sends users a direct message (DM) flagging their account for use of hate speech and requesting the user authenticate the account to avoid a suspension. Users are then redirected to a fake “Twitter help center,” which asks for the user’s login credentials.

The Discord phishing campaign sends users a message from friends or strangers accusing the user of sending explicit photos that are exposed on a server. The message includes a link to the purported server, and if the user wants to follow the link, they are asked to log in via QR code. If they do, the account will most likely be taken over by scammers, according to Malwarebytes. The message then gets sent to the user’s friends from his or her account, perpetuating the phishing scam.

Patrick Harr, CEO at SlashNext, an anti-phishing company, says the Twitter and Discord attacks are a clever twist on the traditional social engineering scam to steal credentials. The best social engineering scams use fear or outrage to move the victim to act quickly without taking too much time to think “Is this a phishing scam?,” he explains.

“In both cases, the users of Twitter and Discord are motivated to resolve an issue that could impact their status, business, or entertainment, which is why this phish is so effective,” he notes.

Social media platforms are perpetual targets of phishing campaigns, using psychological manipulation to encourage victims to disclose confidential login credentials. The pilfered information is then used by malicious actors to hijack the user’s social media accounts, or even gain access to their bank accounts.

But more importantly for enterprises, successful social media attacks on their employees can open the door to infiltration to the company network via the user’s infected device or abused credentials. “This means companies need a BYOD strategy that includes multichannel phishing and malware protection to protect social, gaming, and all messaging apps,” Harr says.

Fear and Urgency as Phishing Tools

James McQuiggan, security awareness advocate at KnowBe4, explains social media phishes are effective because they use fear and urgency to get the victim to take an action they might not otherwise take. “A lot of the time, phishing attacks rely on the victim reacting to the email in an emotional state,” he says. “The victim sees the email and responds without adequately checking the sender or the link.”

An example is the threat of the social media account being suspended or a notice that the password has expired. When the victim clicks the link and visits the fake website, it looks exactly like the login page, and the user enters their credentials.

And if the user employs multifactor authentication (MFA) with the account, he says, the attacker can copy that session key to bypass the login and automatically gain access before the victim realizes it.