Photo: Ascannio / Shutterstock.com
A new wave of social engineering attacks targets X users by exploiting artificial intelligence bots. The latest tactic involves AI-generated ‘journalists’ from respectable publications reaching out via direct messages (DMs), offering to feature users in a news story. However, instead of a legitimate interview request, the scam deploys a deceptive OAuth login mechanism that allows hackers to post tweets from the victim’s account.
X user @nearcyan found the attack, and the social network reached out to them and fixed the issue after their tweet garnered considerable engagement.
The attackers, posing as reporters, send a DM inviting the target to participate in a news feature. If the victim expresses interest, they are directed to a Calendly link, an OAuth permissions request.
Rather than scheduling an interview, this process appears to exploit an obscure part within Calendly’s organisational features, potentially allowing the attacker to take control of the target’s X account and post on their behalf.
Although the precise technical mechanism remains unclear, one thing is clear: the scam operates by misusing OAuth delegation, possibly tricking users into granting broader permissions than intended. Some speculate that the attackers are leveraging an obscure function that treats the victim as a ‘sub-account’ within the Calendly organisation, inadvertently providing tweet access.
This attack is particularly insidious because it targets verified accounts, which influential figures, media professionals, and security researchers often own. With a high profile under their control, attackers can execute lucrative scams, spread misinformation, or promote phishing campaigns. Victims are less likely to suspect a verified account reaching out, making the deception even more effective.
The increasing sophistication of social engineering attacks leads many users to lock down their DMs entirely. Some have switched to ‘verified-only’ messaging, which unfortunately does little to deter attackers, as many of these malicious accounts are themselves verified.
Last week, it was reported that Salesforce emails were used in massive Facebook phishing attack. Last month, Amazon Prime customers were targeted by attackers in a phishing attack.
Similarly, yet another phishing attack was found targeting PayPal users with authentic-looking emails. Also, North Korean cybercriminal group, Lazarus Group, posed as LinkedIn to deploy info-stealer targeting job seekers.
In the News: Apple patches flaw exploited in “extremely sophisticated attack”
