Flash Report: Increased Demand for X Accounts in Dark Web Forum
Key Findings
- A new shop with exceptionally high numbers of social media accounts for sale, which first began trading under the name fireaccs[.]biz on the dark web forum xss on January 4, 2024, is gaining momentum amongst threat actors.
- On the store, X (formerly Twitter) accounts are significantly more numerous and in demand compared to other social media platforms. This is very likely indicative of their favor amongst a wide array of threat actors, given the perceived benefits of operating on X to advertise, brag, or disseminate content to a wider audience than on other platforms.
Details
A public shop that began trading under the name fireaccs[.]biz on the dark web forum xss on January 4, 2024, is gaining momentum amongst threat actors and has exceptionally high numbers of social media accounts associated with various different platforms for sale. The thread is operated by untested threat actor “fireaccs”, who updates the shop on a daily basis to meet customer demands. As a public shop, customers are able to buy goods without negotiating with the vendor.
- While such shops are not uncommon in deep and dark web (DDW) marketplaces, fireaccs is notable primarily for the sale of hundreds of thousands of X accounts in just several weeks—a rate that remains at a steady pace.
- The shop offers the sale of both new “bot” accounts and “aged” accounts, some of which are advertised with followers. Though the latter is more expensive, the former are selling in much higher numbers.
On the store, X accounts are significantly more numerous and in demand compared to other social media. This is very likely indicative of their favor amongst a wide array of threat actors, given the perceived benefits of operating on X versus other platforms. X accounts are almost certainly being increasingly implicated in various types of cybercrime that target individuals and organizations. This is enabled, to some extent, by:
- The allegedly lower levels of active internal regulation of accounts by X in comparison to its predecessor, Twitter. This results in fewer instances of accounts being suspended or banned for conveying controversial speech or otherwise violating the platform’s user guidelines.
- The ability of threat actors to leverage licit as-a-service tools to bypass Know Your Customer (KYC) protocols, which are often associated with the creation of social media accounts. This aids the automated registration of large numbers of accounts for a small price and in a short period of time—accounts which are then used to conduct various nefarious activities without fear of reprisal.
- The inherent anonymity often associated with X in comparison to other social media platforms, where users expect profiles to contain overt links to other legitimate profiles as a display of authenticity. This enables and encourages antisocial behavior.
- The ability for users to engage with audiences far beyond their immediate following. This increases the opportunity available for malicious messages or services to be publicized.
- The payments from the platform to users that are part of the Creator Ads Revenue Sharing Program and receive at least 5 million organic impressions on a post. This encourages the posting of contentious or inflammatory language that may be more likely to be widely shared.
Fireaccs sells accounts in both the Russian and English language, indicating a broad marketplace of customers who are almost certainly procuring accounts to conduct a diverse array of malicious activities known to take place on X. These are very likely to include:
- Non-fungible token (NFT) scams, which can include rug-pulling, the use of social engineering techniques to access users’ NFT account details, bidding scams, and the spreading of misinformation intended to artificially inflate NFT prices. Many X accounts sold on fireaccs claim to be optimized toward the use of NFTs and blockchain accounts.
- Crypto scams, which are very likely on an upward trajectory in 2024. Threat actors use bot accounts to manipulate the prices of cryptocurrencies and deliver crypto wallet-draining malware using phishing techniques, such as displaying malicious, redirecting ads to users.
- Verification scams, whereby threat actors masquerading as X staff offer users the platform’s popular blue checkmark in exchange for personal details, money, or both. Only users who have purchased X Premium are eligible to receive the blue tick on their profiles, as well as some notable public figures still associated with the now-legacy Twitter verification program.
ZeroFox Recommendations
- Ensure social media accounts are configured with organic security features, such as phishing-resistant multi-factor authentication and complex, unique passwords.
- Report accounts suspected as fake or those conducting malicious activity through the platform's internal report function.
- Be aware of the activity stemming from accounts with a recent creation date, limited activity, or those with seemingly nonsensical names.
- Ensure enterprise engagements taking place over social media platforms move to more secure channels when appropriate, protecting internal and customer data.
- Proactively monitor for compromised accounts being brokered in deep and dark web forums.
- Leverage cyber threat intelligence to inform the detection of ransomware and digital extortion (R&DE) threats; their associated tactics, techniques, and procedures (TTPs); and Indicators of Compromise (IOCs).
- Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
- Develop a comprehensive incident response strategy.
- Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
- Deploy a holistic patch management system, and ensure all business IT assets are updated with the latest software as quickly as possible.