Silent Push Threat Analysts uncovered a crypto scam using spoofed X/Twitter display URLs to impersonate trusted brands like Apple and CNN, redirecting users to fraudulent presale token websites with fake CEO endorsements. (Affected: social media platforms, cryptocurrency victims, online financial sector)
Keypoints :
- A new crypto scam abuses X/Twitter advertising to spoof legitimate URLs like cnn[.]com.
- Users clicking the spoofed links are redirected to fraudulent sites selling fake “Apple iToken” crypto tokens.
- The scam sites feature fake endorsements from Apple CEO Tim Cook to build trust.
- There are at least 22 unique cryptocurrency wallet addresses across multiple scam websites.
- Nearly 90 related scam domains have been identified, many hosted on Hetzner and some linked to suspicious NameServers.
- Threat actors use URL shorteners and Twitter’s bot metadata fetching mechanics to spoof benign sites.
- Favicons impersonating Apple and X/Twitter brands are reused to identify related scam infrastructure.
- Scam domains consistently redirect through intermediary URLs like bit[.]ly, t[.]co, and chopinkos[.]digital.
- Several scam domains utilize similar files (HTML, CSS) identified via Silent Push Web Resource Scan for infrastructure pivoting.
- Silent Push provides threat intelligence feeds and indicators of compromise to help detect and mitigate the campaign.
MITRE Techniques :
- Spoofing (T1491) – Use of spoofed URLs and domain names to masquerade as legitimate brands like CNN and Apple.
- Phishing (T1566) – Employing deceptive ads and fake websites to trick users into investing in fraudulent crypto tokens.
- Drive-by Compromise (T1189) – Using redirects via URL shorteners and Twitter cards to lure victims to malicious sites.
- User Execution (T1204) – Encouraging users to create accounts and execute crypto transactions on scam sites.
- Trusted Relationship (T1199) – Exploiting trust in established brands (Apple, CNN) and social media platforms (X/Twitter).
- Valid Accounts (T1078) – Victims are induced to create fraudulent accounts on scam platforms.
- Data Manipulation (T1565) – Displaying fake testimonials and fabricated CEO endorsements to mislead users.
- Obfuscated Files or Information (T1027) – Use of CSS and HTML files with matching hashes across multiple scam domains to hide infrastructure.
- Command and Control (T1071) – Use of multiple wallet addresses to receive illicit cryptocurrency payments.
- Domain Trust Hijacking (T1598) – Abuse of platform URL metadata fetching (Twitter bot UA string) to show legitimate sites while redirecting users elsewhere.
Indicator of Compromise :
- The article includes multiple IP addresses identified as hosting scam websites, e.g., 51.15.17[.]214 on ASN12876.
- It details numerous malicious domains related to the scam, such as ipresale[.]world, itokensale[.]live, and chopinkos[.]digital.
- Hashes of reused CSS and HTML files (e.g., SHA256: b976f96367b70125ec5241cb8e4848090cee6f7bff8cbed9bc01b61678ba6343) are presented to help detect related infrastructure.
- Multiple cryptocurrency wallet addresses (Bitcoin, Ethereum, XRP, USDT, etc.) serve as transaction identifiers connected to the scam.
- URL shorteners used in redirect chains, such as bit[.]ly/4k4X1Tz and t[.]co/OswjDCIcFI, are significant IOCs for link tracing.
- Favicon MD5 hashes uniquely linked to the scam’s websites are provided for site attribution and discovery.
Views: 31