[renlo]

if `twitter.com` is mapped to `x.com`, then a link `carfatwitter.com` will go to the non-malicious `carfax.com`, so registering `carfatwitter.com` seems to be just a stunt. When would `carfax.com` redirect to `carfatwitter.com`? Urls with `twitter.com` in the name are affected, not urls with `x.com` in the name.

edit: from the responses looks like I was wrong; the urls still point to `carfatwitter.com`. Leaving my comment up in case others were confused like me.

[code_duck]

It appears the substitution only affected the text of the link, not the destination.

[filleokus]

It's not redirecting but rather rewriting of the URL.

e.g "https://twitter.com/{acc}/status/{id}" -> "https://x.com/{acc}/status/{id}".

So if you post "https://carfatwitter.com/scam" it will be rewritten to "https://carfax.com/scam". Essentially search and replace of twitter.com -> x.com, 's/x.com/twitter.com/g'.

[jerf]

I infer that the display was getting rewritten, but the underlying target of the link would not. So if you posted "carfatwitter.com", the UI would display "carfax.com" but the underlying link would still go to "carfatwitter.com".

Note I have no direct experience with this, it's just the only way this makes sense as a phishing vector. The alternative is that it is being presented as a phishing vector, but was never actually useful as such, and people are just jumping up to yell about a security issue without it actually being one. That happens too.

[mcphage]

The links themselves are unchanged, just how they display. So if you type carfatwitter.com in a tweet, then it will display as carfax.com, but if you click on the link, it will still redirect you to carfatwitter.com.