A sophisticated phishing campaign that leverages the X platform's app authorization mechanism has bypassed passwords and two-factor authentication to take over multiple cryptocurrency-related accounts.
The attacker tricked users into authorizing a fake app called “Calendar” via a link impersonating Google Calendar; the app requested full control. Users should check and immediately revoke the suspicious app on X’s authorization page to limit damage.
- Form: phishing via fake “Calendar” application authorization.
- Impact: bypassing password and 2FA, leading to account takeover.
- Emergency action: go to X's authorized app page, revoke the suspicious app and change the password.
How the attack works
The attacker sends a fake link using the name Google Calendar, asking the user to authorize the “Calendar” application to access account X.
The link contains spoofed characters and broad access permissions (full control), granting an access Token to the malicious application; thanks to the Token, the bad guy can manipulate or log in without a password or 2FA.
Who bears the risks and consequences?
Any X user, especially those involved in cryptocurrency activities, could be affected by approving the malicious app.
Consequences include loss of control of the account, leakage of sensitive information, or property damage if the account is used to navigate transactions involving cryptocurrency.
How to check and treat if you may have been affected
Go to the “Authorized Apps” page on X, find and revoke any strange apps named “Calendar” or apps from unknown sources; change the password and revoke the Token.
Re-enable two-factor authentication if needed, review login activity, notify the platform and related services if unusual transactions are detected.
How to spot fake Google Calendar links?
Impersonating links often contain strange characters, unofficial domains, or request excessive access; double-check the link before authorizing.
If I have authorized the “Calendar” application, what should I do first?
Go to the X authorization app page and revoke the app, change your password, check your login activity, and contact platform support if necessary.
Does enabling or disabling 2FA prevent this type of attack?
2FA protects in most cases but does not prevent if the Access Token was granted via app authorization; always check the app authorization.
