Cash App targeted by Twitter scams

Cash App, the person-to-person (P2P) payment service application from Square is being targeted by a number of scams using Twitter and Instagram to lure victims.

It's easy to see why Cash App is a prime target, the app has been downloaded 59.8 million times since its 2013 launch, it's been name checked by popular rap artists, and some brands -- including Burger King -- have used it as part of marketing campaigns.

Tenable researcher Satnam Narang has uncovered a number of scams seeking to exploit the #CashAppFriday promotion. This is a legitimate Twitter giveaway in which users reply with a unique ID for the potential to earn hundreds or even thousands of dollars, but it's become a magnet for scammers.

Cash App has more than 450,000 Twitter followers and the promotion has been mentioned over 1.2 million times. Methods used by the scammers to exploit this popularity include direct messaging about 'cash-flipping', promising to modify (or 'flip') the transaction with some software that allows them to change the value in Cash App. They are also replying on Twitter threads during the promotion and claiming to give away X amount of dollars to the first Y amount of users to retweet.

This is used for phishing attacks where scammers will 'ride the hashtag' and direct message users about winning the #CashAppFridays giveaway, sending a website link. From there, the website says that the cashtag $cash -- which is unaffiliated with Cash App -- has 'initiated a deposit of $1,000 to your Cash App.' Then the website uses a valid SSL certificate from Let's Encrypt, a non-profit certificate authority, to ask for an email or phone number. In lieu of a password, Cash App asks for an email address or phone number that triggers a request for a one-time use login code. When the user provides their information to one of the phishing websites, a payment failed notification pops up on a fake webpage but the scammer now has the information needed to access their account.

There are also impersonation attacks where scammers will claim to be Cash App customer service representatives, using official image assets from Cash App, or images that are similar but not exactly the same. In some instances, they'll use real photos of people, oftentimes business headshots of entrepreneurs that appear professional.

Tenable has notified Cash App of its findings and the company responded:

We are aware of social media accounts that claim to be associated with Cash App. We have been working with Twitter and Instagram to deactivate all accounts that infringe our intellectual property rights (eg: use our name or logo without permission) or seek to take advantage of our customers.

As a reminder, the Cash App team will never ask customers to send them money, nor will they solicit a customer’s PIN or sign-in code outside of the app. Additionally, Cash App currently has only two official Twitter accounts, @cashapp and @cashsupport, both of which have blue, verified check marks. If you believe you have fallen victim to a scam, you should contact Cash App support through the app or website immediately.

You can find out more on the Tenable blog.

Image Cedit: karen roach/Shutterstock