New Sophisticated Phishing Campaign Targets Crypto Personalities on X
A new, sophisticated phishing campaign is specially designed for X accounts belonging to crypto personalities, utilizing tactics that can bypass two-factor authentication and appear more credible than typical scams.
In a Wednesday post on X, crypto developer Zak Cole revealed that this phishing campaign exploits X’s own infrastructure to take control of the accounts of crypto figures. “Zero detection. Active right now. Full account takeover,” he noted.
Details of the Phishing Attack
Cole pointed out that this attack is distinct as it does not rely on a fake login page or password stealing techniques. Instead, it uses X application support to obtain account access while successfully circumventing two-factor authentication methods.
MetaMask security researcher Ohm Shah has confirmed witnessing this attack “in the wild,” which suggests a more extensive campaign. Additionally, an OnlyFans model was also targeted by a less sophisticated version of this attack.
The striking feature of this phishing campaign is its credibility and discreet nature. The attack initiates with a direct message on X containing a link that seems to redirect to the official Google Calendar domain, utilizing the way the social media platform generates its previews. In Cole’s case, the message falsely claimed to originate from a representative of the venture capital firm Andreessen Horowitz.
The link embedded in the message leads to “x(.)ca-lendar(.)com,” which was registered on Saturday. Nevertheless, X displays the legitimate calendar.google.com in the preview because of how the site’s metadata is leveraged in X’s preview generation process.
When the link is clicked, the page’s JavaScript redirects to an X authentication endpoint, requesting authorization for an app to access the user’s social media account. The app appears to bear the name “Calendar,” but a technical review of the text shows that the application’s name includes two Cyrillic characters resembling an “a” and an “e,” distinguishing it from the actual “Calendar” app in X’s system.
The most apparent sign of the illegitimacy of the link might be the URL that briefly shows before the user gets redirected. This may only appear for a fraction of a second, making it easy to overlook.
Still, the X authentication page reveals the first clue that this is a phishing attack. The app requests a long list of comprehensive account control permissions, including the ability to follow and unfollow accounts, update profiles and account settings, create and delete posts, interact with posts from others, and much more.
Such permissions seem excessive for a calendar app and could serve as a warning for a cautious user. If these permissions are granted, the attackers can take over the account, leading users to another hint: redirection to calendly.com, despite the Google Calendar preview.
“Calendly? They spoofed Google Calendar, but redirect to Calendly? Major operational security failure. This inconsistency could tip off victims,” Cole emphasized.
Based on Cole’s GitHub report regarding this attack, users looking to determine if their profile has been compromised and to remove the attackers should visit the X connected apps page. He advises revoking access for any apps labeled “Calendar.”
