A new complex phishing campaign is targeting the X accounts of prominent figures in the cryptocurrency space, employing methods that can bypass two-factor authentication and are more credible than traditional scams.
According to a message posted by crypto developer Zak Cole on X on Wednesday, this phishing campaign utilizes X's own infrastructure to take over the accounts of well-known individuals in the crypto field. He stated, "Zero detection. Currently active. Complete account takeover."
Cole pointed out that the attack does not involve spoofing login pages or stealing passwords, but rather relies on features supported by the X application to gain account access while bypassing two-factor authentication.
MetaMask security researcher Ohm Shah confirmed that this attack has been observed in real-world environments, indicating a broad scope of activity. Additionally, an OnlyFans content creator also encountered a lower-level version of this type of attack.
A notable feature of this phishing campaign is its extremely high credibility and stealth. The attackers exploit the social platform's preview generation mechanism to insert a link that appears to redirect to the official Google Calendar domain. In Cole's case, the message was disguised as an invitation from a representative of the venture capital firm Andreessen Horowitz.
The domain linked in the message is "x(.)ca-lendar(.)com," which was registered on Saturday. Because the website's metadata utilizes X's preview generation mechanism, X displays the legitimate calendar.google.com in the preview.
After clicking, the page's JavaScript redirects the user to X's authentication endpoint, requesting authorization for an application to access the social media account. The application is displayed as "Calendar," but technical analysis reveals that the application name contains Cyrillic letters that resemble "a" and "e." Therefore, this application is not the same as the real "Calendar" application in the X system.
The most obvious sign of illegitimacy may be the URL that users briefly see before being redirected, which appears for only a very short time and can easily be overlooked.
However, the X authentication page has introduced clues indicating that this behavior is a phishing attack. The application requests extensive account control permissions, including following and unfollowing accounts, updating profiles and account settings, creating and deleting posts, and interacting with others' posts. These permissions far exceed the normal requirements of a calendar application.
Attentive users may thus recognize the attack. If permissions are granted, the attackers will gain access to the account, and users will receive another clue when redirected to calendly.com, even though the preview shows Google Calendar.
Cole noted, "Calendly? They disguise themselves as Google Calendar but redirect to Calendly? This is a major operational security oversight. This inconsistency may alert victims."
According to Cole's attack report on GitHub, if there is suspicion that an account has been compromised and one wishes to remove the attacker, it is recommended to visit the X connected applications page. He then suggests revoking authorization for all applications named "Calendar."
Related: Bitcoin (BTC) rebounds to $113,900, bullish divergence suggests trend reversal
Original article: “New Advanced X Account Takeover Attack Targets Crypto Community”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
