A new phishing campaign has arrived, so sophisticated it could bypass two-factor authentication with the grace of a Victorian pickpocket and appear more credible than a politician’s promise. One must admire the audacity, though not the ethics. 🦜
Crypto developer Zak Cole, that paragon of digital vigilance, revealed on X that this campaign leverages X’s own infrastructure with the enthusiasm of a society host at a charity gala. “Zero detection. Active right now. Full account takeover,” he declared, as if announcing the latest scandal at a Mayfair soiree.
Cole, ever the gentleman, clarified that this is no mere password theft but a masterclass in social engineering. The attackers exploit X’s application support, bypassing two-factor authentication with the subtlety of a well-timed punchline. One might call it a “Wildean” twist. 😏
MetaMask’s Ohm Shah, that guardian of digital wallets, confirmed the attack’s presence “in the wild,” while an OnlyFans model became an unwitting victim of a less polished version. One wonders if the attackers were practicing on dummies before graduating to the real thing. 🎭
Crafting a Credible Phishing Message
The campaign’s charm lies in its discretion. The attack begins with an X direct message containing a link that pretends to be Google Calendar, thanks to X’s metadata magic. In Cole’s case, the message purported to come from Andressen Horowitz, a venture capital firm with the charm of a tax auditor. 📅
The domain, “x.ca-lendar.com,” was registered on Sept. 20, yet X’s preview shows the esteemed calendar.google.com. A feat of deception worthy of a stage illusionist. 🎩✨
“Your brain sees Google Calendar. The URL is different.”
Clicking the link triggers JavaScript to redirect to an X authentication endpoint, requesting access to your account via an app named “Calendar.” But lo! The app’s name contains Cyrillic characters masquerading as “a” and “e”-a linguistic masquerade that would make a Shakespearean villain blush. 🎭
The Hint Revealing the Attack
The only hint of treachery is the URL’s brief appearance-a fleeting moment of clarity in a world of digital fog. One might need the eyes of a hawk and the patience of a saint to spot it. 🦅
On the X authentication page, the app requests permissions so comprehensive they could rival a monarchy’s powers: unfollowing accounts, updating profiles, deleting posts, and more. A calendar app demanding such privileges? One might suspect it’s auditioning for a role in a dystopian novel. 📜
If permission is granted, the user is redirected to calendly.com, a betrayal so clumsy it could win a prize at a masquerade ball. Cole quipped, “Calendly? They spoofed Google Calendar, but redirect to Calendly? Major operational security failure. This inconsistency could tip off victims.” A sentiment as sharp as a wit’s tongue. 😜
To reclaim your account, Cole suggests visiting X’s connected apps page and revoking any “Calendar” or “Cаlеndar” apps. A task as tedious as sorting through one’s sock drawer, but necessary. And perhaps revoke unused apps-because nothing says “security” like trusting every third-party app you’ve ever installed. 🧦
Read More
- BTC PREDICTION. BTC cryptocurrency
- ETH PREDICTION. ETH cryptocurrency
- USD JPY PREDICTION
- GBP EUR PREDICTION
- USD TRY PREDICTION
- USD KZT PREDICTION
- SOL PREDICTION. SOL cryptocurrency
- BNB PREDICTION. BNB cryptocurrency
- EUR CHF PREDICTION
- EUR ARS PREDICTION
2025-09-25 13:54