On April 9, Twitter/X began automatically modifying links mentioning “twitter.com” to redirect to “x.com”.But dozens of new domain names have been registered in the past 48 hours, demonstrating how this change can be exploited to craft convincing phishing links, e.g. federal twitter[.]comcurrently rendered as fedex.com in a tweet.
Currently, this message appears when a user visits carfatwitter.com, but Twitter/X will now display it as carfax.com in tweets and messages.
A search on DomainTools.com shows that at least 60 domains ending in “twitter.com” have been registered in the past two days, although research to date suggests that most of these domains are owned by private “defensive” Registering prevents domain names from being purchased by scammers.
These include carfatwitter.com, Twitter/X will now truncate the domain to carfax.com when it appears in a user message or tweet. Visiting this domain currently displays a message that begins “X Corp, are you serious?”
The same message appears on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). Messages left on these domains indicate they were defensively registered by a user on Mastodon whose resume states they are a system administrator/engineer. The profile has not responded to a request for comment.
Many of the new domains, including “twitter.com,” appear to have been defensively registered by Japanese Twitter/X users. The netflitwitter.com domain (netflix.com, Twitter/X user) now displays a message stating that the domain was “obtained to prevent its use for malicious purposes” along with the Twitter/X username.
The domain mentioned at the beginning of this article – fedetwitter.com – redirects users to a Japanese tech enthusiast blog.A user named “amplest0e” appears to have already registered space-twitter.com, Twitter/X users now think of it as the CEO’s “space-x.com.” The domain name “ametwitter.com” has been redirected to the real americanexpress.com.
Some recently registered domains ending in “twitter.com” are currently unresolvable and do not contain any useful contact information in their registration records.These include Firefox Twitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and Twitter[.]com (webex.com).
The domain setwitter.com (which Twitter/X currently renders as “sex.com”) redirects to this blog post warning about recent changes and its potential for phishing purposes.
mcneeDomainTools’ vice president of research and profiles told KrebsOnSecurity that Twitter/X does not appear to be limiting its redirect efforts appropriately.
“Given the opportunity, bad actors can register domains to divert traffic from legitimate websites or brands – many of these brands in the top 1 million domains end in x, such as webex, hbomax,” McNee said. , xerox, xbox, etc.” “It is also worth noting that several other popular global brands such as Rolex and Linux are also on the list of registered domain names.”
The apparent oversight of Twitter/X has amused and surprised many former users, who have migrated to other social media platforms since the new CEO took over. Matthew GarrettA lecturer at the School of Information at the University of California, Berkeley, summed up schadenfreude this way:
“Twitter just does “redirect links in tweets to x.com to twitter.com, but accidentally does this for all domains ending in x.com (e.g. spacex.com goes to spacetwitter.com)” This Definitely not the funniest thing I could imagine, but it’s high there.”
