Seen from January 2025, targeting crypto accounts of 50k to +1m followers.
Scenario
You chat with someone on X (from a verified profile), they are interested in:
- Giving you an interview
- Writing a blog post about you or your company
- Collaborating
- And more
Not now, but after a few messages they send you a link that seems legit, the overview will show either “Google Calendar” or any other type of App (Calendly, TypeFully etc.)
The link itself is embedded by X and looks like:
Then here comes the magic part:
This will show up and look legit at first sight, but this URL makes a request on X API to delegate access to your account to this FAKE GOOGLE CALENDAR APP.
If you click “Authorize App” your account is silently taken over. No password or 2FA needed from the attacker.
Just check out what you might even receive sometimes.
NO MATTER
Changing your password, email, 2FA and everything attackers will still have a persistent connection on your account until you revoke this app from your account connected apps.
Settings & Privacy > Security & Account Access > Apps & Sessions > Connected Apps.
I have seen other more advanced scenarios where the connected malicious app was breaking the UX of X in order to hide the revoke button. Check that out: https://x.com/CryptoCurb/status/1892395110576329105
Nowadays compromising X Account is used to promote scams, fake tokens or to impersonate people.
Recommendations:
RULE #1: NEVER EVER CLICK ON ANY LINK ON X
RULE #2: IF YOUR FRIEND OR COLLEAGUE SEND YOU A LINK ON X (REMEMBER RULE#1) AND MAKE SURE IT’S HIM/HER ON ANOTHER COMMUNICATION CHANNEL
And have good security practices 😊.
Thanks for reading, Souilos.
