A sophisticated new phishing campaign is targeting the X accounts of crypto personalities, employing tactics that bypass two-factor authentication and seem more credible than traditional scams.
According to a Wednesday X post by crypto developer Zak Cole, this phishing scheme utilizes X’s own infrastructure to seize control of crypto personalities’ accounts. “Zero detection. Active right now. Full account takeover,” he stated.
Cole pointed out that the attack does not rely on fake login pages or password theft. Instead, it employs X application support to gain access while circumventing two-factor authentication.
MetaMask security researcher Ohm Shah confirmed that he has observed the attack “in the wild,” indicating a larger campaign, and an OnlyFans model was also targeted by a less sophisticated version of the attack.
Related: Blockstream sounds the alarm on new email phishing campaign
Crafting a credible phishing message
A key aspect of the phishing campaign is its credibility and subtlety. The attack initiates with an X direct message containing a link that seems to redirect to the official Google Calendar domain, facilitated by how the social media platform generates its previews. In Cole’s case, the message falsely indicated that it was from a representative of venture capital firm Andreessen Horowitz.
The domain linked in the message is “x(.)ca-lendar(.)com,” which was registered on Saturday. Nonetheless, X displays the legitimate calendar.google.com in the preview due to the site’s metadata, exploiting how X generates previews from its metadata.
“Your brain sees Google Calendar. The URL is different.“
Upon clicking, the page’s JavaScript redirects to an X authentication endpoint requesting permission for an app to access your social media account. The app appears to be “Calendar,” but a technical examination reveals that the application’s name contains two Cyrillic characters resembling an “a” and an “e,” distinguishing it from the actual “Calendar” app in X’s system.
Related: Phishing scams cost users over $12M in August — Here’s how to stay safe
The hint revealing the attack
Thus far, the most blatant sign that the link was fraudulent may have been the URL that flickered briefly before the user was redirected. This likely appeared for just a fraction of a second and is easy to overlook.
Still, on the X authentication page, we find the first clue that this is a phishing attack. The app demands an extensive list of account control permissions, including following and unfollowing accounts, updating profiles and account settings, creating and deleting posts, interacting with others’ posts, and more.
Such permissions seem excessive for a calendar app and might be the clue that protects an attentive user from the attack. If authorization is granted, the attackers gain entry to the account as users receive another clue with a redirect to calendly.com despite the Google Calendar preview.
“Calendly? They spoofed Google Calendar, but redirect to Calendly? Major operational security failure. This inconsistency could tip off victims,” Cole emphasized.
According to Cole’s GitHub report on the attack, to verify if your profile was compromised and remove the attackers from the account, it is advised to visit the X connected apps page. He then recommends revoking any apps named “Calendar.”
Magazine: Fake JD stablecoins, scammers impersonate Solana devs: Asia Express
