April 10, 2024

On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.

The message displayed when one visits goodrtwitter.com, which Twitter/X displayed as goodrx.com in tweets and messages.

A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in “twitter.com,” although research so far shows the majority of these domains have been registered “defensively” by private individuals to prevent the domains from being purchased by scammers.

Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, “Are you serious, X Corp?”

Update: It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in “twitter.com” to “x.com.”

Original story:

The same message is on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.

A number of these new domains including “twitter.com” appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was “acquired to prevent its use for malicious purposes,” along with a Twitter/X username.

The domain mentioned at the beginning of this story — fedetwitter.com — redirects users to the blog of a Japanese technology enthusiast. A user with the handle “amplest0e” appears to have registered space-twitter.com, which Twitter/X users would see as the CEO’s “space-x.com.” The domain “ametwitter.com” already redirects to the real americanexpress.com.

Some of the domains registered recently and ending in “twitter.com” currently do not resolve and contain no useful contact information in their registration records. Those include firefotwitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and webetwitter[.]com (webex.com).

The domain setwitter.com, which Twitter/X until very recently rendered as “sex.com,” redirects to this blog post warning about the recent changes and their potential use for phishing.

Sean McNee, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.

“Bad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity — many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,” McNee said. “It is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.”

The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeley’s School of Information, summed up the Schadenfreude thusly:

“Twitter just doing a ‘redirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.com’ is not absolutely the funniest thing I could imagine but it’s high up there.”


33 thoughts on “Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers

  1. Vinny

    It’s been patched already, before anyone could abuse, click-bait article.

      1. BrianKrebs Post author

        I started reporting this last night, when it was still very much a thing. The story has been updated to note that Twitter/X apparently has fixed its mistake.

        1. D

          Hopefully the coders behind this innovative case, and those who tested the work, do not go anywhere near the alleged blue-sky-one-day-promise self-driving vehicle elon keeps hyping to pump his stock.
          It is known Elon uses his companies interchangeably and brought Tesla people to X, so no doubt the reverse can happen.
          Or, perhaps, he lost the password to his fiverr account 🙂

    1. Bob

      Even if it was patched, this was a monumental blunder. Lessons learned in outsourcing your regex to high schoolers.

      1. BrianKrebs Post author

        Yes, and unlikely to help the CEO with his efforts to win back advertisers and major brands, many of whom are probably hopping mad about this.

    2. Catwhisperer

      But the fact is that Twitter systems admins and operators made a newbie mistake, and didn’t test their changes. And we surely will take your word that the problem has been resolved…

    3. Justin

      Even if it has been patched, it shows a lack of quality control on the part of Twitter/X. This is an elementary mistake that should have easily been caught through proper testing. Also sounds like it took them at least 2 days to fix it given the increase in domain registrations ending in twitter.

    4. RWKOS

      Seriously? KOS doesn’t need to do click bait.

  2. RWKOS

    #EMTGFUIT.

    Everything Musk Touches Gets FU In Time.

  3. Volodymyr Solovyov [cyka blyat’]

    Don’t cry you bitch

    1. BrianKrebs Post author

      And on cue, the bot/troll accounts arrive to do their thing. Someone is submitting a lot of these comments. Typical.

      1. Dennis

        You hit a lot of nerve with the russian trolls for sure. My guess is that “your love” for mother ruzzia is egging them on.

  4. Dennis

    This is what happens when a manchild fires all the good developers.

    Although, Brian, I’m not sure I understand how fedex.com turned into fedetwitter.com when they were replacing twitter.com with x.com?

    1. Daniel

      You can call him a manchild if you like, but that manchild has more money than you…and was smart enough to purge Twitter/X of the indoctrinated horde…

      1. Dave Horsfall

        And replaces them with sycophants too frightened to challenge him? Yep, that’s progress…

      2. Fr00tL00ps

        “was smart enough to purge Twitter/X of the indoctrinated horde…”

        … and replaced them with a vile pit of indoctrinated Andrew Tate wannabees, costing said manchild billions in advertising revenue. LOL

        Your comment is not the flex you think it is.

    2. Wataku

      fedetwitter.com -> (replace all instances of ‘twitter.com’ with ‘x.com’) -> fede(twitter.com) -> fede(x.com) -> fedex.com

    3. PeterinFtL

      I think it goes like this (Brian will correct me):

      A bad actor registers a Domain called completwitter.com, and creates a tweet with the text and underlying URL completwitter.com.

      Along comes X’s silly bot and changes the text in the tweet to complex.com, but leaves the underlying URL as-is, namely completwitter.com.

      An unsuspecting user sees the tweet with text complex.com and clicks on it, and is taken to the site built by the bad actor for completwitter.com.

      Does that help?

      –PeterinFtL

  5. Colin B Wood

    I think we can just say, “Elon Musk” to explain this debacle! Glad it’s been found, being dealt with, and reported. Thank you, Kerbs on Security! You saved me from some major issues this morning, or yesterday with reports on Microsofts major security issues and required updates. I took care of that, immediately!

    You are the top notifier of web security awareness!

    Colin Wood

  6. Moike

    This is an epic but ‘clbuttic’ text substitution mistake!

  7. nah

    krebs still big mad with TDS and his hate for elon and free speech.

    1. d

      Do they teach rudimentary English where you live? Or if this is your fifth language? I suppose we should be grateful that you’ve tried. Mostly when writing English, we use a capital letter (that is a B for big letter) at the start of a sentence.

      Krebs IS still mad… (if so, I guess you have the evidence). As in use “is” – not the big letters that I used for emphasis.

      Elon is a person’s name, so it also has a capital letter.

      My daughter could understand this by, oh maybe the seventh grade, and English is her third language.

      Even I can manage better and I have a visual handicap (so severe, for example, that I cannot drive a motor vehicle).

      If you are going to insult somebody, try doing it properly.

      You might not be American, neither am I, but even I have a rudimentary understanding of the concept of free speech and Constitutional protections in that country. Much of the same provisions are broadly applicable in most civilised countries anyway. Just because you might open your mouth and shout fire in a crowded theatre, when there is no fire, does not mean your free speech is emasculated when you appear in front of a judicial body.

  8. u mad?

    krebs still big mad with TDS and his hate for elon and free speech.

    1. Mr. Morningstar

      Your hatred of the English language is evident.

Comments are closed.