TL;DR Dark Ops First Take – Twitter Scams and Hurricane Relief Fraud

3 minute read

TL;DR: Dark Ops First Take is a new series from our Dark Ops intelligence team that shares quick and initial observations regarding fraud and threat activity across the deep and dark web. We are sharing these fast-breaking events in near real-time; we will continue to monitor and evaluate the risk associated with the claims from these cybercriminals.

Cybercriminals Take Aim at Hurricane Ian Relief

The ZeroFox Dark Ops team has confirmed threat actors have exploited – and are continuing to exploit – Hurricane Ian victims to steal funds intended to aid those impacted by the Florida disaster. They have observed fraudulent relief application schemes to impersonate corporate entities to maximize the monetary size of the fake claim.

Figure 1: October 30, 2022: Russian-speaking threat actor “nrejek” announced on exploit[.]in that they are looking for Tax Forms 1120s for 2021.
Figure 2:  Adversary “nrejek” also posted this announcement in English

Figure 1 specifically calls out that the requested forms should only contain information about Florida-based corporate enterprises. The adversary also notes they are willing to partner with whoever can provide the requested forms. These are clear indicators that this threat actor is specifically targeting legal organizations impacted by Hurricane Ian. Because “nrejek” also published this message in English (Figure 2), it demonstrates interest in expanding their audience.

Trolling Tweetstorms: New Twitter Account Generator for Sale 

Twitter is generating increased attention with Elon Musk’s acquisition of the social media platform, and threat actors – primarily social engineers and trolls – are focusing efforts in this space, as well. Although authenticity problems have plagued Twitter for years, if a new account generation tool turns out to be as advertised, Twitter could see these problems escalate at a rapid rate.

The ZeroFox Dark Ops team has confirmed a Twitter account generator for sale on forum exploit[.]in. According to the October 17 announcement, posted by untested threat actor “ericluho,” the software – priced at $3,500 – is written in Golang and includes the full source code. The announcement also claims: 

  • Generated accounts are resistant to shadow banning
  • Generated accounts can bypass antibot detection
  • It is capable of generating thousands of Twitter accounts per hour
  • It can be used for any type of spam across Twitter

Because the accounts can be preset with NFT-related pictures, it appears to be targeting the NFT community. But, given its broad use cases, it is possible that despite the steep price tag, the software could generate wider interest. 

It is worth noting that because this adversary lacks an established reputation, the ZeroFox Dark Ops team is exercising caution before providing analysis and recommendations but will continue to track and monitor activity associated with this potential threat.

Figure 3: Forum message announcing the sale of a new Twitter account generator software

See ZeroFox in action