Earlier today, someone took over the Twitter account of Mandiant, a Google subsidiary and American cybersecurity company, to spread a cryptocurrency scam by pretending to be the Phantom crypto wallet.
“A representative from Mandiant informed us that they are aware of the issue affecting the Mandiant X account and are working to fix it.”
Once in control, the attacker changed its name to @phantomsolw, advertised a phony website pretending to be the Phantom cryptocurrency wallet, and offered free airdrop tokens worth $PHNTM.
Those who click the “Claim Airdrop” button without having the Phantom wallet installed will be redirected to the official website and asked to install it.
The targets’ cryptocurrency wallets will be automatically emptied once it is installed. The website used by the con artists is a part of a phishing attack, Phantom Wallet now alerts users to this fact.
“This website is dangerous and potentially harmful, according to Phantom. The warning states, “To safeguard you and your funds, we have disabled the ability to interact with it.”
Since deleting the fake tweet, the threat actor responsible for this attack has been using it to troll Mandiant, saying things like “Sorry, change password please.” as well as “Check bookmarks when you get the account back.”
The attacker retweeted posts from the official Phantom account. These posts included advice to “never rush into clicking links,” which is likely to give credibility to future posts about cryptocurrency scams.
The tweet from Mandiant’s original account, @mandiant, now reads, “This account doesn’t exist.” Look for another, if you can.” error message.
Mandiant reported that they are in the process of restoring the account on X after regaining control of it.
The username is still listed as “@phantomsolw” as of this update, most likely as a result of Twitter’s ban on name changes that occur too frequently.
Mandiant X account compromised for a cryptocurrency scam
A security breach occurred earlier today on the Twitter account of Mandiant, a well-known American cybersecurity company and Google subsidiary. An unidentified scammer gained access to the account as a result of the Mandiant security breach, and they used it to plan a cryptocurrency scam using the Phantom crypto wallet as a front.
In a swift response to the event, company representatives acknowledged the Mandiant security breach in a statement.
The statement “We are aware of the incident impacting the Mandiant X account and are working to resolve the issue” gave the public confidence that they were actively working to address the problem. Since then, we’ve taken back control of the account and are attempting to get it back.
Nevertheless, the statement omitted information about how the account was breached.
At first, Phantom, a business that specializes in cryptocurrency wallets, was the owner of the compromised Mandiant account.
Users were prompted to visit a dubious website by the phony account on Mandiant’s platform to find out if their cryptocurrency wallet qualified for a token reward.
Mandiant staff played a game of cat and mouse with the scammer for several hours, deleting fake posts only to have them resurface.
By eventually adopting a new identity and changing the @mandiant username, the scammer escalated the situation. Now unaffiliated with Mandiant, the fraudulent account persisted in advertising a phony website that imitated Phantom and lured visitors in with the promise of free tokens.
A mysterious message asking Mandiant to “check bookmarks when you get the account back” and “change password please” was also left by the phony account.
The most recent update showed that the Mandiant profile “This account doesn’t exist.”
Mandiant, a company renowned for helping clients recover from major network breaches and for its proficiency in cybersecurity, expresses doubts regarding the security protocols used for its X account.
There are still unanswered questions about the account’s password strength and whether two-factor authentication is enabled. The uncertainty surrounding the security of Mandiant’s account is increased by recent reports regarding a possible vulnerability in the social media platform that was reportedly discovered through reputable channels but did not meet the requirements for the bug bounty program.
As people expressed surprise and conjectured about the circumstances, social media reactions poured in. Due to the confusion created by the Mandiant security breach, some tweets suggested rebranding or account selling.
The coincidence of the hackers’ promotion of cryptocurrency scams on the ninth anniversary of FireEye’s acquisition of Mandiant was noticed by one user, who conjectured about their poor decision.
“Mandiant Twitter account gets hacked and all the hackers come up with is promoting freaking Cryptocurrency scams?,” one user said, sounding somewhat humorous but critical of the hackers. Stupid! I had anticipated better.
A different tweet emphasized the apparent irony of Google acquiring Mandiant and made the argument that a well-known cybersecurity company like this ought to have strong internal security procedures.
The situation is becoming more mysterious by the reports that attempts to contact Phantom for comment were unsuccessful.
Concerns regarding the safety of well-known accounts and the possible dangers of cyberattacks that target businesses that have important knowledge of worldwide cybersecurity threats are brought to light by the Mandiant security breach.