Setting up a Secure X Account For Your Crypto Project

Ever thought about launching your own web3 community? Join Ledger Academy and Boring Security in this series of articles exploring all the things you need to know to launch a token, platform, or DAO securely. Make sure you take the Ledger Quest to prove your knowledge at the end of the module!

This is the second article in the series, but if you missed it, you can find part one here.

Over a hundred crypto X accounts have been exploited in the last year alone. While bad actors usually target large accounts, accounts with as few as 500 followers have been taken over as well. Everyone should strive to protect their social media accounts, especially if they are involved in crypto. Losing money sucks, but being the reason your friends lost money sucks way more.

But of course, it is impossible to defend your account if you don’t know where its weaknesses are. This article will discuss the scourge of compromised X (Twitter) accounts and go over common attacks leading to these account takeovers. Most importantly, we will cover the steps you can take to protect yourself from each attack.

Most Common Attack: Sim Swap

2 Factor Authentication (2FA) bypass and password reset via SMS

SIM Swaps don’t target you directly. Instead, they rely on socially engineering your mobile carrier. SIM swaps are a common attack you need to watch out for. To explain, this attack targets your phone provider, allowing bad actors to take control of your mobile phone number. If a sim swap is successful, the attacker receives your texts and calls directly to their device, leaving you in the dark.

While losing access to your phone number is already bad enough, there are a few other problems this causes. For starters, if you use SMS verification for X (or any other service), an attacker can target those accounts. Typically, the aim is to change your settings, lock you out by changing the password, and post links to malicious websites they control. What’s worse, is that attacks like this can potentially last days until X support can assist with manual account recovery.

Boring Security tracks compromised X accounts and discord servers month over month, and SIM Swaps consistently maintain a top spot for reasons that accounts get taken over.

How To Avoid SIM Swap Attacks

There are a few ways to defend yourself against this type of attack:

Set up a reliable two-factor authentication method

Two Factor Authentication (aka 2FA) relies on utilizing at least two of the three “authentication factors”. These factors are:

1. Something you have (Examples include: A physical device, like a Ledger, Yubikey, or security key)
2. Something you know (The most common example of this is a password)
3. Something you are (Examples include: biometrics such as fingerprints or facial recognition)

The idea is that it is much harder for any one attacker to compromise two factors at the same time. If they steal your password, then what you have or what you are will still be required to gain access. However, not all 2FA methods are created equal!

Use a Security Key (Or Your Ledger Device!)

If you want extra protection, enable security key 2FA. A security key is a physical device that beefs up your online security by requiring both the key and your password to access your accounts, making it harder for unauthorized folks to sneak in. Dedicated devices like Yubikey exist, and usually cost between $45-55, depending on the model. but if you have a Ledger device, you can use that as a security key, including on X. Learn how to use your Ledger device as 2FA in this help center article!

Use an app for authentication

Another suitable option for most folks is app-based 2FA. This 2FA uses an app on your mobile device like Authy or Google Authenticator. These authentication methods are often called Time-Based as they generate one-time passwords (OTPs) based on the current time. Ensure these apps aren’t backing up your 2FA codes to the cloud or can be recovered over SMS by checking the app settings. Additionally, any backup codes that are generated by these apps should not be stored in e-mail or the cloud as well.

Important Additional Security Settings

• Remove the linked phone number from your X account. This will help protect against resetting your password over SMS. 
• Disable other methods in your 2FA options. A common misconception is that X will force security key 2FA once you set it up. X allows the use of ANY of the 2FA options checked, so be sure to uncheck the SMS option.
• Enable additional password protection to make it harder for an attacker to request a password reset. Find the option in the Security section of your X settings.

Secure Your Password

Use a unique, secure password. Managing multiple long and complex passwords can be a chore to manage thus a secure solution is using a password manager. If you’re looking for convenience, 1Password is a great option, whereas if you desire an open-source solution, you may want to opt for Bitwarden. Having a system to manage unique, complex passwords will help you stay safe in crypto.

Don’t Trust, Verify

Finally, double-check that the email address connected to your social media account is secure too. Ensure your email address also uses an app or security key for its 2FA and the password can’t be reset via SMS.

The Second Most Common Attack: App Takeovers

Another common attack is the app takeover which aims to convince folks to connect their X account to a malicious app.  Attackers will typically approach a victim impersonating an investor, celebrity, or important journalist. They usually try and lure you in with promises of investment, a new job, or to feature your project in a popular publication. 

All they ask is to set up a video call, a seemingly harmless interaction that many web3 professionals are familiar with.

After clicking their link to set up a calendar invite, a familiar-looking Calendly site appears. It will ask you to get your X account integrated to log in. Then a pop-up like this will appear:

Clicking the Authorize App button will then let the attacker post messages as if they were you. This is because the application requested the “Post and delete Tweets for you…” permission.  App connections can be dangerous depending on the permissions requested. While the ‘Update your profile and account settings’ line looks dangerous, there are pretty heavy limits to what a X app connection can do. This app connection cannot change your password or any important account settings.

What Can a Malicious X Authorization Do

But what it can primarily do if the victim clicks authorize is: 

• Post tweets on their behalf (with drainer links)
• Send out DMs (with drainer links)
• Follow malicious accounts on the victim’s account (to provide fake social proof)
• See their email address to send follow-up phishing attacks to their email account

To recover an account, you will need to deauthorize the offending application in your settings. The best way to narrow down which application is the offending one, we recommend you start with the most newly added application that has “write” permissions above, and remove it. Once done, we’d advise you to review all your DMs, Tweets, and accounts followed to undo anything the malicious app did. There could be still unread DMs to your friends, leveraging your identity to get them to click on malicious links, possibly compromising their account, or worse, stealing their crypto.

How to Avoid Authorizing Malicious Apps

Malicious apps sometimes stay connected for days or weeks before making their move. Additionally, sometimes older apps are sold off to malicious developers. Here are some steps you can take to avoid this attack:

Avoid Connecting Apps To Your X Account 

Review applications authorized to your account. Most applications should only require ‘read-only’ permissions. Be extremely suspicious of apps asking you to tweet on your behalf or follow others. Even for apps you might trust, we highly recommend you remove these kinds of permissions when they are no longer needed, as even teams with the best of intentions can get hacked.

Even simpler, do not authorize any applications to your main account. Use an alternative X account on a different browser to connect to things as needed.

Do Your Own Research

Be extremely suspicious of inbound requests on X. Always verify people are who they say they are through a second layer of verification. If they claim to be from Forbes, ask them to respond to an email you send to their official Forbes email. It is very easy to make a fake X account. Attackers target usernames linked to trusted projects like CoinTelegraph or TheBlock to impersonate the deleted account.

Third Less Likely Attack: Malware/Session Hijacking

Session hijacking is a cyberattack where a malicious actor intercepts and takes over an active session between a user and a web application. This typically occurs when an attacker gains unauthorized access to the session ID or session token of a user who is already authenticated on a website or web application.

Attackers can completely take over an account with a logged-in session and an X password. The malware that they use to do this comes in many shapes and forms, but a popular variant is a keylogger. Essentially this malicious program will store every single key you push on your device and transmit the data to the attacker. With this information, hackers can identify your login details for any platform you access on the device, including your X account. 

Once they gain access, you know what happens next: they use this information to lock you out of your account and repurpose it for nefarious means.

How to avoid Session Hijacking

Steps to avoid this attack:

Delegate, Don’t Share

Do not give multiple users access to an X account by sharing passwords. Instead, use the ‘Delegate’ function in your X settings to safely let users access another account from their account. Additionally, educate the team on how to secure their own X accounts; send them this article!

Never share passwords for X. There is simply no reason to do this now that delegation features exist!

Don’t Click any Links

Session Hijacking can start with a bad link to download malware. The easiest solution is to not click links people send to you! If they want to do a Calendly meeting, navigate to the website yourself, don’t click their link. X uses native link shortening so it can be difficult to know where a link is going unless you use a link un-shortening tool. Consider using a tool like unshorten.it to see where a URL will really take you!

Be Cautious When Connecting to Public Wi-Fi

When traveling, free wi-fi can be a lifesaver. However, depending on where you are, you could expose yourself to Rogue Access Points. Places like conventions, airports, and large coffee shops can expose you to man-in-the-middle attacks where an attacker tricks you into connecting to their access point where they can spy on your traffic, and even steal your sessions. Consider using a VPN, tethering through your phone, or simply not connecting your social media accounts while on public wifi!

Conclusion

We’ve covered many of the common attacks that lead to X compromises; ignorance is forgivable, and sloth is not. The protective measures recommended here are safeguards against those attacks. Avoid granting apps access to your X where possible, never use SMS-based 2FA, and be extremely careful with any applications, programs, or scripts you run locally on your device. If you want to take your skills to the next level, consider taking Boring Security’s Social Media Security Class as well. Also, If you haven’t set up a security key 2FA before try it out using Ledger’s FIDO U2F app.

This article was written by JonHQ for Boring Security. Follow him on X here, and check out Boring Security’s X account, Discord server, and official website for more information.

Finally, don’t miss the next article in the series where NFT_Dreww dives into how to launch and manage a secure Discord server. And, of course, test your knowledge via Ledger Quest!