On Monday, while taking an early morning scroll through Twitter, I noticed a peculiar ad that seemed perfectly tailored to me, an unverified journalist who has tried to get verified, but gave up because Twitter temporarily suspended its verification program—with good reason, considering the heat it took for verifying a white nationalist—last fall.
The ad from Twitter user @asoiaf_ftw invited me to “Check out” a link to “Get verified on Twitter,” complete with a little white Twitter bird set against the company’s iconic blue background. “Begin now to receive the official blue badge,” the link description read, directing me to click on a link to twittersignup.info, which took me to a site that looked a lot like a Twitter help page, but wasn’t.
The page, which pulled language almost directly from Twitter’s own ad page, directed me to fill out my information on another website, twitterverifiedapplication.com, which is still active and claims that “to prevent identity confusion, Twitter is now offering the ‘verification form.’ We’re working the establish authenticity with people who deal with impersonation or identity confusion on a regular basis. Accounts with a [blue checkmark] are the official accounts.” It then asks users to fill out information about how many followers they have, their phone number, and finally their account password.
This is a phishing attack, which is the technical term for when a hacker tries to coax users into divulging their personal account information, like a password or a credit card number, which could allow someone to commandeer an account or steal their money. Even with two-factor authentication on, if users have the same password for their email that they do for their twitter account, the hacker may well be able to change the password or other account details and lock out the original owner.
I emailed Twitter to ask if the company was aware that it was hosting ads for false Twitter products; a spokesperson responded that they “don’t comment on individual accounts for privacy and security reasons.” But considering the company’s verification program is on hold, the account that ran the phishing attack may find some easy victims. It’s still active on Twitter.
For whatever reason, the account, @asoiaf_ftw, also appears to have a serious fascination with Deputy Attorney General Rod Rosenstein and corruption in the Trump White House, having replied to Trump’s Twitter account 10 times in the past 24 hours, mostly about Russia, and taking the time to highlight sections of a recent report from House Democrats on Russian interference in the 2016 campaign election.
Which, at the very least, is a convenient reminder. Primaries for the 2018 midterms are already underway. Candidates are revving up their campaigns for what’s sure to be a high-stakes race. And, as with 2016, much of that campaigning will happen over social media. But if Twitter isn’t even screening out ads impersonating Twitter, there’s a good chance the company isn’t quite ready for what the campaign season will bring—i.e. all kinds of bots and trolls running wild across Twitter, Facebook, Instagram, and maybe even Pokémon Go, from Russian agents and domestic provocateurs alike. The first thing it ought to verify is that it cares about cleaning up this mess before it really begins.