{ "id": 49210, "date": "2025-09-25T18:08:29", "date_gmt": "2025-09-25T11:08:29", "guid": { "rendered": "https:\/\/hbbgroup.net\/new-advanced-x-account-takeover-attack-targets-crypto-community\/" }, "modified": "2025-09-25T18:08:29", "modified_gmt": "2025-09-25T11:08:29", "slug": "new-advanced-x-account-takeover-attack-targets-crypto-community", "status": "publish", "type": "post", "link": "https:\/\/hbbgroup.net\/en_us\/new-advanced-x-account-takeover-attack-targets-crypto-community\/", "title": { "rendered": "New advanced X account takeover attack targets crypto community" }, "content": { "rendered": "
\n

A new sophisticated phishing campaign is targeting the X accounts of crypto personalities, using tactics that bypass two-factor authentication and appear more credible than traditional scams.<\/p>\n

According to a Wednesday X post<\/a> by crypto developer Zak Cole, a new phishing campaign<\/a> leverages X\u2019s own infrastructure to take over the accounts of crypto personalities. \u201cZero detection. Active right now. Full account takeover,\u201d he said.<\/p>\n

Cole highlighted that the attack does not involve a fake login page or password stealing. Instead, it leverages X application support to gain account access while also bypassing two-factor authentication<\/a>.<\/p>\n

MetaMask<\/a> security researcher Ohm Shah confirmed<\/a> seeing the attack \u201cin the wild,\u201d suggesting a broader campaign, and an OnlyFans model was also targeted<\/a> by a less sophisticated version of the attack.<\/p>\n

Related: <\/strong><\/em>Blockstream sounds the alarm on new email phishing campaign<\/strong><\/em><\/a><\/p>\n

Crafting a credible phishing message<\/h2>\n

The notable feature of the phishing campaign is how credible and discreet it is. The attack begins with an X direct message containing a link that appears to redirect to the official Google Calendar domain, thanks to how the social media platform generates its previews. In the case of Cole, the message pretended to be coming from a representative of venture capital firm Andreessen Horowitz.<\/p>\n

The phishing link is in the message. Source: <\/em>Zak Cole<\/em><\/a><\/figcaption><\/figure>\n

The domain that the message links to is \u201cx(.)ca-lendar(.)com\u201d and was registered on Saturday. Still, X shows the legitimate calendar.google.com in the preview thanks to the site\u2019s metadata exploiting how X generates previews from its metadata.<\/p>\n

\u201cYour brain sees Google Calendar. The URL is different.\u201c<\/p><\/blockquote>\n

Phishing site\u2019s metadata. Source: <\/em>Zak Cole<\/em><\/a><\/figcaption><\/figure>\n

When clicked, the page\u2019s JavaScript redirects to an X authentication endpoint requesting authorization for an app to access your social media account. The app appears to be \u201cCalendar,\u201d but technical examination of the text reveals that the application\u2019s name contains two Cyrillic characters looking like an \u201ca\u201d and an \u201ce,\u201d making it a distinct app compared to the actual \u201cCalendar\u201d app in X\u2019s system.<\/p>\n

Phishing X authorization request. Source: <\/em>Zak Cole<\/em><\/a><\/figcaption><\/figure>\n

Related: <\/strong><\/em>Phishing scams cost users over $12M in August \u2014 Here\u2019s how to stay safe<\/strong><\/em><\/a><\/p>\n

The hint revealing the attack<\/h2>\n

So far, the most obvious sign that the link was not legitimate may have been the URL that briefly appeared before the user was redirected. This likely appeared for only a fraction of a second and is easy to miss.<\/p>\n

Still, on the X authentication page, we find the first hint that this is a phishing attack. The app requests a long list of comprehensive account control permissions, including following and unfollowing accounts, updating profiles and account settings, creating and deleting posts, engaging with posts by others, and more.<\/p>\n

Those permissions seem unnecessary for a calendar app and may be the hint that saves a careful user from the attack. If permission is granted, the attackers gain access to the account as the users are given another hint with a redirection to calendly.com despite the Google Calendar preview.<\/p>\n

\u201cCalendly? They spoofed Google Calendar, but redirect to Calendly? Major operational security failure. This inconsistency could tip off victims,\u201d Cole highlighted.<\/p>\n

According to Cole\u2019s GitHub report<\/a> on the attack, to check if your profile was compromised and oust the attackers from the account, it is recommended that you visit the X connected apps page<\/a>. Then he suggests revoking any apps named \u201cCalendar.\u201d <\/p>\n

Magazine: <\/strong><\/em>Fake JD stablecoins, scammers impersonate Solana devs: Asia Express<\/strong><\/em><\/a><\/p>\n