The new, sophisticated phishing campaign is targeting X accounts of crypto personality, bypassing two-factor authentication and using tactics that look more reliable than traditional scams.
According to a Wednesday X post by Crypto developer Zak Cole, the new phishing campaign will leverage X’s unique infrastructure to take over crypto personality accounts. “Zero detection. Active now. Full account takeover,” he said.
Cole emphasized that the attacks do not involve fake login pages or password stealing. Instead, bypass two-factor authentication while leveraging X application support to gain account access.
Oham Shah of Metamask Security Researcher confirmed he was watching an attack suggesting “Wild In the Wild.”
Related: BlockStream will sound alarms with new email phishing campaigns
Creating a reliable phishing message
A notable feature of the phishing campaign is how reliable and modest it is. The attack starts with an X-direct message containing a link that appears to redirect to the official Google Calendar domain, thanks to the way social media platforms generate previews. In Cole’s case, the message pretended to come from a representative of venture capital firm Andressan Horowitz.
The phishing link is in the message. sauce: Zack Cole
The domain the message links to is “x(.)ca-lendar(.)com” and was registered on September 20th. Still, x shows legitimate calendar.google.com to preview thanks to the metadata of the site that takes advantage of the way x generates previews from the metadata.
“Your brain is looking at Google Calendar. The URL is different.”
Phishing site metadata. sauce: Zack Cole
When you click, the page’s JavaScript will redirect you to an X authentication endpoint that requires app authorization to access your social media account. The app looks like a “calendar”, but technical exams on the text reveal that the application’s name contains two Cyrillic characters that look like “A” and “E”, making it a clearer app compared to the actual “calendar” app on the X system.
Phishing X approval request. sauce: Zack Cole
Related: Phishing scams cost over $12 million users in August – Here’s how to stay safe
Tips to reveal attacks
So far, the most obvious indication that a link was not legal could have been a URL that was temporarily displayed before the user was redirected. This is likely to appear for just a few seconds, making it easy to miss.
Still, on the X authentication page you can find the first hint that this is actually a phishing attack. The app requests a long list of comprehensive account control permissions, including following and unfollowing accounts, updating profile and account settings, creating and deleting posts, creating other posts, and more.
These permissions seem unnecessary in calendar apps and can be tips to save cautious users from attacks. If given permission, the attacker can access the account, as the user is given another hint with a redirect to Calendly.com despite a preview of Google Calendar.
“Calendar? They spoofed Google Calendar, but will they redirect to calendar ly? A major operational security failure. This inconsistency could defeat the victim,” Cole emphasized.
According to Cole’s Github report on attacks, it is recommended that you visit the X Connected app page to see if your profile is compromised and to expel attackers from your account. He then suggests cancelling an app named “Calendar” or “CALENDAR”. Still, canceling apps you don’t actively use is probably a good recommendation.
magazine: Fake JD Stablecoins, Scammers impersonate Solana Devs: Asia Express
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
