Categories
Cybercrime Social Media

Putting Scammers on Scan on Twitter

Earlier tonight, someone decided to change their Twitter handle and display name to impersonate a furry and solicit money to the scammer’s PayPal account.

If you’ll notice, the @ here has two Ns instead of an M.

This is the same kind of lazy technique that script kiddies use to phish people for passwords, but more targeted. The goal is to dupe someone into sending the scammer money instead of the intended recipient.

There’s very little we (as in, social media users) can do to prevent this on social media (although if you’re dealing with money, you should probably take the discussion to DM at least). That’s Twitter’s job.

It’s also difficult to detect, especially since they often block their victim so they can’t see the scam reply, thus preventing detection or at least delaying it until the victim notices an invisible reply and opens a private browsing tab.

Infosec isn’t all sunshine and rainbows. (Art by Khia.)

Instead, I’d like to propose a simple technique for stopping their post-detection evasive maneuvers. To wit:

The scammer, upon being detected by the victim, did the following rapidly, several times:

  1. Deleted their offending tweets (although by then they had been reported to Twitter already).
  2. Changed their Twitter handle.
  3. Changed their display name.
  4. Changed their profile picture / biography.

They went from @DreannerHyena to @thebetteroIivia (capital I instead of lowercase L) to @lunatically to @anon45778 in the span of minutes.

Of course, I was able to track them through every account change. And I’m going to explain how to do this because stopping scammers is kind of a recurring theme of this blog. (Cough cough.)

How to Track Polymorphic Twitter Accounts in Two Easy Steps

First, Block them ASAP

No, you don’t have to do it from your main account. You just need to block them before they start dodging.

Open your Twitter Settings

On Twitter’s website, the order of operations is:

  1. Settings and privacy
  2. Privacy and safety
  3. Mute and block
  4. Blocked accounts

…Or you can just navigate to https://twitter.com/settings/blocked/all directly.

The account you most recently blocked will appear at the top of the list:

I kept refreshing to get their new @ every minute or so.

That’s all there is to it!

Questions and Answers

What About Muting Them?

This works just as well, and might even avoid tipping them off that you’re tracking them, but when you go to report someone for violating the Twitter TOS through the easy button, you’re often prompted to block them too.

What I’m saying is you should do this when Twitter prompts you to, to increase your chances of successfully capturing them in your blocked account list, then watch them shapeshift their way into a false sense of security.

What Can/Should I Do With This Information?

Ideally, this enables you to continue to point your followers and other would-be victims towards their current account so they can report it for impersonation.

Additionally, this will allow you to identify more of their targets as they morph around, so you can inform and protect them and their followers.

Do NOT use this for malicious purposes.

By Soatok

Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s