Scammers on X (former Twitter) are running ads luring users with a fake “iToken” product. The new scam abuses the Apple brand, spoofs a landing page URL to show CNN, but ultimately leads users to a malicious website with a faux Tim Cook peddling a non-existent token.
Silent Push, a threat intelligence firm, discovered a new finance scam targeting X users. Cybercriminals abuse the X advertising loophole to appear legitimate.
Users observe fraudulent ads appearing multiple times in their feeds, posted by different X accounts. The crypto scam impersonates Apple’s brand and uses Apple’s logo to promote a fraudulent “iToken.”
The featured URL appears to lead to CNN. However, if a victim clicks the ad, it will direct them to a malicious website.
“The scam encourages visitors to create an account and buy a token positioned as coming from Apple; the website also includes a fake testimonial from Apple CEO Tim Cook,” Silent Push explains in a report.
The hackers provide 22 different wallet options for victims to send funds.
The researchers found a network of nearly 90 financial scam websites dating back to 2024, all appearing to originate from the same threat actor group. However, it seems to be the first time these hackers are purchasing ads on X with a spoofed display URL.
How did the hackers do this?
Cybercriminals trick X bots when they’re creating the ads. For bots checking the website, it appears they’re really visiting the CNN website. However, any other user will be directed to another site.
“When an X/Twitter user inputs a URL into a tweet, Twitter sends their bot to request the page and load up metadata via a Twitter card,” the researchers explain.
The server can identify bots by their consistent User Agent string, which declares the browser, OS version, and other data to deliver a compatible version of the website. So hackers redirect bots to legitimate sites like CNN and cause X to display a misleading preview card.
Attackers can also utilize URL shorteners pointing to benign websites to obtain the Twitter card metadata, generate the card, and then later change the destination to the malicious website.
Researchers tracked the chain of redirects, which had at least two hops through shortened URLs before it landed on the malicious site ipresale[.]world.
The malicious landing page was a traditional cryptocurrency “presale scam” encouraging users to create an account and buy “iToken,” masquerading as coming from Apple.
“If you click on the ‘Buy Now’ link, you’re taken to a ‘/register’ page that further features (and abuses) the Apple brand,” the researchers noted.
The phony Cook lures users with a quote that reads, “Excited for the future of blockchain with I Coin. Stage 3 presale is live at $4.5—next stop, $27.50. Secure, transparent, and built for the decentralized world ahead. Now’s the time. #ICoin #BlockchainFuture.”
At the time of writing, the campaign is still ongoing, with both the malicious X ads and the landing websites online.
The Silent Push researchers discovered multiple domains used for this campaign and dozens of others utilized in previous financial scams. Many of them had connections to numerous domains in Russia, however, these links do not confirm a definite connection.
“While it’s no surprise that there are financial scams on X/Twitter, especially those that impersonate major brands, this most recent campaign’s ability to spoof the visible X advertising URL is a novel method for tricking potential victims, one only occasionally seen in the wild,” the report concludes.
Cybernews recently reported on another scam on X, where hackers hijack legitimate accounts and target crypto enthusiasts via personal messages.
Your email address will not be published. Required fields are markedmarked