New Phishing Scheme Threatens Cryptocurrency Figures
A sophisticated new phishing scheme is increasingly threatening the X accounts of notable figures in the cryptocurrency realm, employing tactics that successfully evade traditional two-factor authentication measures. This alarming trend was highlighted in a recent post on X by cryptocurrency developer Zak Cole, who warned that hackers are currently executing these attacks in real-time, leading to complete account compromises.
Unique Tactics of the Phishing Attack
Cole explained that the unique aspect of this particular phishing attack lies in its use of X’s own infrastructure—rather than relying on classic methods such as fake login pages or simple password theft. By utilizing X application support, the attackers can circumvent standard safeguards like two-factor authentication. This issue was further corroborated by security researcher Ohm Shah, who acknowledged witnessing such attacks in operation, noting that even models affiliated with platforms like OnlyFans experienced similar, albeit less sophisticated, assaults.
Deceptive Messaging and Links
The campaign’s effectiveness stems largely from its deceptive messaging. Victims typically receive direct messages on X that include links seemingly redirecting to the official Google Calendar site, a trick made possible through X’s preview features. For instance, Cole shared that he received a message mimicking correspondence from a representative of the well-known venture capital firm Andreessen Horowitz.
“The link directs users to a domain named x(.)ca-lendar(.)com, a site freshly registered on a Saturday. Despite this, X generates a preview displaying the legitimate calendar.google.com, leading users to mistakenly trust the message due to the apparent association with a recognized product.”
Cole emphasized that while the preview shows Google Calendar, the actual URL is another matter altogether. Once the user clicks this deceptive link, they are funneled via JavaScript to an X authentication page, which prompts them to grant access to what appears to be a legitimate “Calendar” application. However, upon closer inspection, the app identification contains misleading Cyrillic characters that distinguish it from the genuine X Calendar app.
Identifying Phishing Attempts
One potential giveaway for these phishing attempts is the URL that users momentarily see before being redirected. Although this fleeting glimpse is often overlooked, discerning users may spot irregularities on the X authentication page itself. The application requests a broad range of permissions, including capabilities like following or unfollowing accounts, altering profile settings, and managing posts—permissions that seem excessive for a calendar application.
If users mistakenly authorize this access, the attackers could easily seize control of their accounts. Moreover, even after following the illusory path leading to a Google Calendar connection, a surprising redirect to calendly.com could raise suspicions due to its stark deviation from the initial premise. Cole pointed out this inconsistency as a critical breach in operational security that could signal impending misfortune for unwary victims.
Mitigation Strategies
To mitigate the risk of compromise, Cole suggested that individuals concerned about their account security should visit the X connected apps section and revoke access from any applications labeled “Calendar.” This precaution can help users regain control and prevent further infiltration by potential attackers.
