As microblogging site Twitter plans to charge for account verification, some people have started receiving phishing emails to steal the passwords of unwitting users.
According to TechCrunch, the phishing email campaign asks Twitter users to enter their usernames and passwords on an attacker’s website masked as a Twitter help form.
The email was sent from a Gmail account to several people that were linked to a Google Doc with another link to a Google Site, which lets users host web content.
This could make Google’s automatic scanning tools more difficult to detect abuse by creating several layers of obfuscation.
The page itself contained an embedded frame from another site hosted on the Russian web host Beget that asked for the user’s Twitter handle, password, and phone number which was enough to compromise accounts that do not use stronger two-factor authentication, according to the report.
Meanwhile, TechCrunch alerted Google about the phishing site and it was taken down shortly afterwards.
“Confirming we have taken down the links and accounts in question for violations of our programme policies,” a Google spokesperson was quoted as saying.
Currently, Twitter has a verification process that requires celebrities and other people of interest to confirm their identities.
Additionally, it offers Twitter Blue, a monthly subscription that allows for more service customisation.