Attackers are using Twitter's response to recent breach to phish account credentials, using SendGrid for their campaign

Background

On July 15, 2020, attackers were able to compromise 130 Twitter accounts (including several high-profile accounts) by calling Twitter employees and successfully convincing them to give the attackers access to internal Twitter tools which in turn allowed the attackers to reset target account credentials alongside the two-factor authentication methods designed to protect those accounts. Though this is the most high-profile recent incident resulting from such an attack, Twitter is far from the only target being vulnerable to 'vishing' (voice phishing) or phone-based spear phishing.

Responding to the attack, the official Twitter Support Twitter account tweeted that “we are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly”, later further tweeting that they had “detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

Phishing Attack

In a recent Twitter credential email phishing campaign First Look Media staff have reported receiving, phishers have now begun utilizing Twitter’s official wording as part of a bait message to convince targets of the phishing campaign to supply their Twitter login credentials.

Twitter credentials harvesting phishing email campaign

The email body text contains wording that is almost identical to Twitter's official response, barring a few differences — "we are investigating and taking action to correct" versus "we are investigating and taking steps to fix it", and "we have detected what we believe to be a social engineering attack coordinated by people who have..." instead of "we detected what we believe to be a coordinated social engineering attack by people who have…". Notably, some news outlets reporting on both the first and second tweet had the same exact misquotations in their stories, indicating that the phishers copied the misquoted text from a news story they read about the Twitter hack, not from Twitter's official response.

The email then instructs the recipient to confirm their identity in light of the attack, leveraging the possibility that the targeted users may be aware of the news story about the Twitter security breach which may then make the email seem legitimate, as in fact there was a very public Twitter security incident, just like the email claims.

Phishing Campaign Delivery Platform of Choice: SendGrid

The phishing email purports to come from Twitter <support@auth-skjpwafxqua[.]com>, though this is a spoofed From address, as the domain auth-skjpwafxqua[.]com does not exist. Analysis of the headers reveals that the email was actually sent via xvfrtsws[.]outbound-mail[.]sendgrid[.]net.

Received-Spf: Pass (sender SPF authorized) identity=mailfrom; client-ip=168.245.118.150; helo=xvfrtsws.outbound-mail.sendgrid.net

The Sender Policy Framework (SPF) header from the phishing email, indicating that the email was sent via SendGrid

Multiple other headers (Authentication-Results, Dkim-signature, Received, Return-Path) further confirm that the phishing campaign was facilitated by SendGrid infrastructure.

SendGrid describes itself as being "the world's largest cloud-based email delivery platform", delivering "transactional and marketing emails". SendGrid claims that they employ "both technology and staff to prevent the sending of phishing emails", and that 99.97% of their 50 billion monthly emails are 'phish-free'. Meaning, SendGrid still presumably facilitates the sending of 15 million malicious emails a month — which may explain why SendGrid continues to be implicated in facilitating phishing and malware campaigns time and time and time again.

Using SendGrid to manage a phishing campaign gives an attacker a wide array of advantages that they may not otherwise have access to as readily. First, the attacker does not need their own mail server (let alone access to a compromised one) as they can use SendGrid's servers to send out their campaign. This has the further added benefit of making sure that the mail servers pass various spam verification checks. Aside from the email itself, SendGrid also conveniently allows the attacker to both obfuscate malicious links and to collect metrics about the victims. SendGrid offers its clients the ability to obfuscate links by replacing the actual link in an email with a custom-crafted SendGrid link, which in turn also facilitates click tracking. SendGrid further allows the attacker to see a variety of other email activity metrics, such as the number of targets who opened the email. Additionally, SendGrid allows attackers to search the Email Activity Feed of a campaign by 'requesting IP address', though this functionality does not appear to be further explained in SendGrid's documentation, so it remains unclear if this would allow attackers to exfiltrate targets' IP addresses as well.

Attack Chain

The phishing email, using the aforementioned lure of needing the target to confirm their identity in light of the recent Twitter 'security incident', attempts to have the user click the 'Confirm your identity' link button. The link initially points to a SendGrid link:

https://u18115378[.]ct[.]sendgrid[.]net/ls/click?upn=[redacted]

The use of the SendGrid email delivery service allows the attacker to both obfuscate the actual link, as well as to collect metrics about the targets.

The SendGrid link in turn points to:

https://t[.]co/bwqATtdYMw?amp=1

t.co is Twitter's link shortener service, which ironically is described by Twitter as being "part of a service to protect users from harmful activity"; whereas instead, using Twitter's URL shortener allows the attacker to once again obfuscate the actual payload link. Since Twitter's URL shortener is only available for links created on Twitter, the usage of a t[.]co link indicates that the attackers had a Twitter account, while the presence of the amp (Accelerated Mobile Pages) parameter indicates that the phishers may have used a mobile device. The t[.]co link in turn redirects to:

https://mobile[.]mobile[.]twittersafes[.]com/login

Twittersafes[.]com, one of hundreds of malicious Twitter look-alike domains, in turn presents the target with a login page requesting their Twitter credentials.

Twitter user credential phishing campaign landing page

Attempting to access the payload mobile[.]mobile[.]twittersafes[.]com/login URL directly without first going through the t[.]co URL shortener results in 'rickrolling' - the website redirecting to Rick Astley's "Never Gonna Give You Up" music video, in an apparent attempt at evading analysis.

The phishing campaign site performs a rickroll if accessed without using the shortened URL

The main mobile[.]mobile[.t]wittersafes[.]com site further displays an authentic-looking Twitter homepage:

Phishing campaign homepage

According to WHOIS records, the phishing domain was registered on June 21, 2020 (via Wild West Domains), while its SSL certificate (issued via Let's Encrypt) was registered on June 24, 2020. Both registrations thus predate the Twitter hack of July 15, the response to which the phishing campaign employed as its bait text.

This phishing campaign highlights the fact that attackers can attempt to leverage official responses to previous incidents as pretext to craft more convincing bait messages to lure targets to enter credentials or download malicious files.

Indicators of Compromise (IOCs)

Domains

auth-skjpwafxqua[.]com

mobile[.]mobile[.]twittersafes[.]com

Intermediary URLs

https://*[.]sendgrid[.]net/*

https://t[.]co/bwqATtdYMw

SSL Certificate

Serial Number:

03:A3:CD:BC:7D:B2:51:D1:DD:A0:48:49:D2:4A:1F:51:81:38

SHA-256 Fingerprint:

B2:95:0E:94:48:9C:8C:F8:53:B7:D2:61:13:65:E1:01:DF:80:73:96:5C:6D:C7:E5:4E:83:07:DC:C1:CD:F5:11