We’ve looked at the social engineering tactic of inserting a fake account into a conversation with legitimate support channels in the past, and today – thanks to Techhelplist – we can observe another one, this time going after Natwest bank logins.

How does this scam work?

1) Set up an imitation account of a real support channel on Twitter.

2) Troll the mentions of an official support channel on Twitter (which is easy enough to filter), then barge into conversations between service X and customer Y, making it look like you’re the official support account. Smart scammers would replicate avatars, Twitter handles, and any other key identifiers as much as possible. If they want to go one step further, they’ll see when a support account stops Tweeting (perhaps they’re all in bed / off duty) and send their spam during those hours.

3) Offer to help in some way by directing the victim to a phishing link.

4) If / when the phish page is taken down, switch to another one until their Twitter feed is banned.

https://blog.malwarebytes.com/wp-content/uploads/2016/08/natwest-twitter-phish-account.jpg

Some examples of how they’re sliding into your mentions can be seen below. Here’s a standard “Visit our link to update” message:

phish attempt 1

Here’s an example of how the scammer jumps into an ongoing discussion:

phish attempt 2

Below, we have a new customer sending a query to the official Natwest channel and – lo and behold – the scammer immediately steps in to take over:

phish attempt 3

In this case, it appears the original phish link they were peddling has been banhammered, so we’re already at stage 4. The new site, located at

natwestonline-resolutioncenter(dot)16mb(dot)com

has so far had a grand total of 18 clicks via its Bitly stats. Here is the site in question, asking for the first stage of login details:

Natwest twitter phish

This was a particularly clever scamming technique back in 2014, and it remains as slick as ever in 2016. Some tips when dealing with support channels on Twitter:

1) Most – if not all – financial services offering support on Twitter will have a blue Verified tick. Please note that many non-financial areas of business on twitter don’t always possess a tick, and this shouldn’t be used as conclusive proof one way or the other.

2) Is the support account trying to send you to a website? Is your query, which doesn’t really require a website visit, being immediately directed to somewhere you have to login? Is the website asking you to login sitting on a free webhost / not a HTTPS site? If so, you should probably steer clear.

3) Does the support account have very few followers? If the brand is an established one, it’s probable that they have a lot more than 2, like the scam account up above.

4) Pay close attention to any and all replies – 10 seconds spent ensuring the Twitter URL of the account messaging you matches the account you initially spoke to is infinitely preferable to losing your bank login to a scammer.

Keep these tips in mind, and you’ll likely be all set where getting a little help on Twitter is concerned.

Christopher Boyd