Crypto personalities targeted in latest phishing attacks on X
TL;DR Breakdown
- Scammers and hackers are now targeting accounts belonging to crypto personalities in a new wave of phishing attacks.
- According to reports, the new attacks are discreet, and it doesn’t take long before accounts are breached.
- A crypto developer shared tips that could help the wider crypto community keep their accounts safe.
Crypto personalities and accounts have become the center of attacks by scammers, with the bad actors deploying a new, sophisticated phishing campaign to take over their accounts. According to reports, the criminals use this new tactic to bypass two-factor authentication and appear better than traditional scams.
In a recent post made by crypto developer Zak Cole, the new phishing campaign uses the infrastructure built by X to take over the accounts of these popular crypto accounts and personalities. “Zero detection. Active right now. Full account takeover,” he said. Cole mentioned that the attacks do not usually involve fake login pages or password theft. Instead, it uses the X application support to gain access to the account while bypassing the platform’s two-factor authentication.
Scammers target crypto personalities in latest wave of phishing attacks
MetaMask security researcher Ohm Shah confirmed the authenticity of the attacks, noting that he has seen it in the wild. “Been seeing this in the wild, def a good campaign by the threat actor,” he said. He also mentioned that it is part of a broader campaign, noting that an OnlyFans model was tricked with a less sophisticated version of the phishing attack some days back.
One of the notable features of the new phishing attack is how credible and discreet it can be. According to several examples given, the attack begins with a direct message on X that appears to contain a link that redirects to the official Google Calendar domain, thanks to how the blogging platform enables users to see previews of several links. In his case, Cole mentioned that the attacker pretended to be a representative of venture capital firm Andreessen Horowitz.
The domain that is tied to the message links to a “x(.)ca-lendar(.)com” website, and according to reports, it was registered on Saturday. Despite linking to another platform, X still shows the legitimate calendar.google.com in the preview, thanks to the metadata of the platform exploiting how X generates previews from its metadata. “Your brain sees Google Calendar. The URL is different,“ Cole added.
Cole lists ways to identify the phishing scam
When users click the link, the page’s JavaScript redirects to an X authentication endpoint asking for authorization for an app to access your social media account. The app mimics what the normal “Calendar” is, but according to several technical examinations of the text, it reveals that the application’s name contains two Cyrillic characters looking like an “a” and an “e”, making it an entirely different application compared to the actual calendar app in X’s system.
According to reports, the most obvious sign that the link is not legitimate is that the URL briefly appears before the user is redirected. This appears for only a fraction of a second, and users would miss it if they were not attentive enough. Still, on the X authentication page, there are the first signs that it is a phishing attack. The app requests a list of comprehensive control permissions, including following and unfollowing accounts, updating profiles, creating and deleting posts, engaging with other people’s posts, account settings, and others.
That long list of permissions looks unnecessary for a calendar app and might be the most needed hint that saves users from the phishing attack. If the user grants the scammers permission, they gain access to the account through a redirect to Calendly despite seeing a Google Calendar preview. “Calendly? They spoofed Google Calendar, but redirect to Calendly? Major operational security failure. This inconsistency could tip off victims,” Cole highlighted.
