New X Account Takeover Attack Targets Crypto Community

A new sophisticated phishing campaign is targeting the X accounts of crypto personalities, using tactics that bypass two-factor authentication and appear more credible than traditional scams.

According to a Wednesday X post by crypto developer Zak Cole, a new phishing campaign leverages X’s own infrastructure to take over the accounts of crypto personalities. “Zero detection. Active right now. Full account takeover,” he said.

Cole highlighted that the attack does not involve a fake login page or password stealing. Instead, it leverages X application support to gain account access while also bypassing two-factor authentication.

MetaMask security researcher Ohm Shah confirmed seeing the attack “in the wild,” suggesting a broader campaign, and an OnlyFans model was also targeted by a less sophisticated version of the attack.

Related: Blockstream sounds the alarm on new email phishing campaign

Crafting a credible phishing message

The notable feature of the phishing campaign is how credible and discreet it is. The attack begins with an X direct message containing a link that appears to redirect to the official Google Calendar domain, thanks to how the social media platform generates its previews. In the case of Cole, the message pretended to be coming from a representative of venture capital firm Andreessen Horowitz.

The domain that the message links to is “x(.)ca-lendar(.)com” and was registered on Saturday. Still, X shows the legitimate calendar.google.com in the preview thanks to the site’s metadata exploiting how X generates previews from its metadata.

“Your brain sees Google Calendar. The URL is different.“

When clicked, the page’s JavaScript redirects to an X authentication endpoint requesting authorization for an app to access your social media account. The app appears to be “Calendar,” but technical examination of the text reveals that the application’s name contains two Cyrillic characters looking like an “a” and an “e,” making it a distinct app compared to the actual “Calendar” app in X’s system.

Related: Phishing scams cost users over $12M in August — Here’s how to stay safe

The hint revealing the attack

So far, the most obvious sign that the link was not legitimate may have been the URL that briefly appeared before the user was redirected. This likely appeared for only a fraction of a second and is easy to miss.

Still, on the X authentication page, we find the first hint that this is a phishing attack. The app requests a long list of comprehensive account control permissions, including following and unfollowing accounts, updating profiles and account settings, creating and deleting posts, engaging with posts by others, and more.

Those permissions seem unnecessary for a calendar app and may be the hint that saves a careful user from the attack. If permission is granted, the attackers gain access to the account as the users are given another hint with a redirection to calendly.com despite the Google Calendar preview.

“Calendly? They spoofed Google Calendar, but redirect to Calendly? Major operational security failure. This inconsistency could tip off victims,” Cole highlighted.

According to Cole’s GitHub report on the attack, to check if your profile was compromised and oust the attackers from the account, it is recommended that you visit the X connected apps page. Then he suggests revoking any apps named “Calendar.”

Magazine: Fake JD stablecoins, scammers impersonate Solana devs: Asia Express