New advanced X account takeover attack targets crypto community

A new sophisticated phishing campaign is targeting the X accounts of crypto personalities, using tactics that bypass two-factor authentication and appear more credible than traditional scams.

According to a Wednesday X post by crypto developer Zak Cole, a new phishing campaign leverages X’s own infrastructure to take over the accounts of crypto personalities. “Zero detection. Active right now. Full account takeover,” he said.

Cole highlighted that the attack does not involve a fake login page or password stealing. Instead, it leverages X application support to gain account access while also bypassing two-factor authentication.

MetaMask security researcher Ohm Shah also confirmed seeing the attack “in the wild,” suggesting a broader campaign, and an OnlyFans model was also targeted by a less sophisticated version of the attack.

Related: Blockstream sounds the alarm on new email phishing campaign

Crafting a credible phishing message

The notable feature of the phishing campaign is how credible and discreet it is. The attack begins with an X direct message containing a link that appears to redirect to the official Google Calendar domain, thanks to how the social media platform generates its previews. In the case of Cole, the message pretended to be coming from a representative of venture capital firm Andressen Horowitz.

The phishing link is in the message. Source: Zak Cole

The domain that the message links to is “x(.)ca-lendar(.)com” and was registered on Sept. 20. Still, X shows the legitimate calendar.google.com in the preview thanks to the site’s metadata exploiting how X generates previews from its metadata.

“Your brain sees Google Calendar. The URL is different.“

Phishing site’s metadata. Source: Zak Cole

When clicked, the page’s JavaScript redirects to an X authentication endpoint requesting authorization for an app to access your social media account. The app appears to be “Calendar,” but technical examination of the text reveals that the application’s name contains two Cyrillic characters looking exactly like an “a” and an “e” — making it a distinct app compared to the actual “Calendar” app in X’s system.

Phishing X authorization request. Source: Zak Cole

Related: Phishing scams cost users over $12M in August — Here’s how to stay safe

The hint revealing the attack

So far, the most obvious sign that the link was not legitimate may have been the URL that briefly appears before the user is redirected. This is likely to appear for only a fraction of a second and is rather easy to miss.

Still, on the X authentication page, we can find the first hint that this is indeed a phishing attack. The app requests a long list of comprehensive account control permissions, including following and unfollowing accounts, updating profiles and account settings, creating and deleting posts, engaging with posts by others, and more.

Those permissions seem unnecessary for a calendar app and may be the hint that saves a careful user from the attack. If permission is granted, the attackers gain access to the account as the users are given another hint with a redirection to calendly.com despite the Google Calendar preview.

“Calendly? They spoofed Google Calendar, but redirect to Calendly? Major operational security failure. This inconsistency could tip off victims,” Cole highlighted.

According to Cole’s GitHub report on the attack, to check if your profile was compromised and oust the attackers from the account, it is recommended that you visit the X connected apps page. Then he suggests revoking any apps named “Calendar” or “Cаlеndar.” Still, it is likely a good recommendation to revoke any apps that you are not actively using.

Magazine: Fake JD stablecoins, scammers impersonate Solana devs: Asia Express