- New phishing campaign targets X accounts of crypto figures using advanced methods.
- Attack bypasses two-factor authentication by exploiting X’s application support system.
- Phishing links masquerade as Google Calendar, leveraging X’s metadata for credibility.
- Attackers request broad permissions, allowing full account takeover if granted.
- Security experts urge users to check connected apps and revoke suspicious access immediately.
A phishing campaign is targeting the X accounts of well-known crypto personalities, using tactics that bypass traditional security measures. Attackers are sending direct messages that appear credible and can result in a full account takeover if the recipient interacts with a malicious link. This activity is ongoing, with zero detection reported so far according to Zak Cole, a crypto developer.
The campaign does not use fake login pages or attempt to steal passwords directly. Instead, it exploits X’s own app authorization features to gain entry, sidestepping two-factor authentication (2FA). MetaMask security researcher Ohm Shah confirmed the attack is active across the platform. Reports also indicate an OnlyFans model fell victim to a less advanced version of the same scheme.
The phishing attempt begins with a message that appears to be from a legitimate source, such as an employee from Andreessen Horowitz. It contains a link showing the official Google Calendar address in X’s message preview. In reality, the URL leads to “x(.)ca-lendar(.)com,” a domain registered only days before the attacks. The preview displays “calendar.google.com” thanks to manipulated metadata, which is meant to trick users.
Once clicked, the link redirects to an X authorization page, asking the user to allow an app named “Calendar” to access their account. Technical analysis revealed that the app name includes Cyrillic characters resembling standard letters, making the fake app appear genuine. Granting access gives the attackers broad permissions, including changing profile information, posting, deleting content, and engaging with other users.
A hint that something is wrong may appear as a brief, unusual URL before redirection. On the authorization page, the app requests unnecessary access for a supposed calendar tool. After giving permission, users are redirected to a different service, Calendly, which is inconsistent with the initial Google Calendar claim. Zak Cole noted this inconsistency could alert observant users.
For those concerned their X account may be compromised, Cole recommends visiting the X connected apps page and revoking any suspicious “Calendar” access. Detailed technical findings are available in Cole’s GitHub report here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Malicious Rust Crates Steal Ethereum, Solana Wallet Keys
- BRICS Russia Startups Gain Access to Chinese Investment at Summit
- UAE’s M2 Capital Invests $20M in Ethena’s ENA Token Expansion
- Ethereum Whales Accumulate $862M: Is a Major Price Surge Ahead?
- Ohio Approves Crypto Payments for State Fees, Eyes Bitcoin Reserve
