Old scams and new tricks

by · September 5, 2022

Old scams and new tricks

The The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious domain registrations with names of NFT stores increased by almost 300% in March 2021.

To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace.

As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server and impersonated support staff to trick targets into sharing account access. Some use old-fashioned phishing techniques to trick NFT holders into transferring funds or giving up credentials. Let’s dig deeper into the new threats that increase NFT security risk.

NFT boom and security

By 2021, the NFT market was worth at least $40 billion. In January 2022, 2.4 million NFTs were sold on OpenSea, the world’s largest NFT marketplace. This was an increase of one million sales compared to December 2020. NFT sales by value also broke records in January, with over $4.8 billion sold on OpenSea alone. Even traditional auction houses such as Christie’s and Sotheby’s now hold their own token auctions. With so much financial activity going on, the threat actors were bound to take notice.

Old fashioned phishing and NFT scams

In February 2022, fraudsters stole hundreds of NFTs from OpenSea users with 254 tokens stolen during the attack. The estimated value of the robbery was more than $1.7 million, all of which happened in about three hours.

See also  Nothing can resist the NFT hype, and fans are asking questions - TechCrunch

OpenSea CEO Devin Finzer tweeted that victims were tricked into signing an online contract to trade tokens, but the contract order details were left blank. With the authorization signature in place, the attackers filled in the contract details without the victim’s knowledge. This enabled the transfer of NFT ownership to the attackers. It is believed that this attack occurred through some form of phishing, perhaps an email with a fake request for contract signatures.

Fake NFT store pages also exist that try to trick targets into giving up their login information through email and social media phishing campaigns.

Crypto Wallet Security Cracking

While many are careful not to fall for phishing scams, what if someone sends you a free NFT as a gift? Accepting it can trigger a series of events that end up compromising your crypto wallet. Researchers recently discovered an OpenSea vulnerability that works this way. The sequence of events looks like this:

  1. The attacker creates and delivers a malicious NFT to a target victim.
  2. Viewing the malicious NFT triggers a popup from the OpenSea storage domain. The popup asks to connect to the victim’s cryptocurrency wallet, a common request.
  3. To receive the gifted NFT, the victim opens a wallet connection that provides access to the wallet.
  4. Attackers can withdraw money from the wallet by triggering an additional malicious pop-up.

Since then, this vulnerability has reportedly been patched.

Fake NFT support on Discord

Consider the social engineering that took place on OpenSea’s Discord server. Attackers lurked on the instant messaging platform, waiting for someone to ask a support question. They then invite the unsuspecting target to a secondary fake “support” server.

After luring them to the server, attackers ask the target to enable screen sharing to solve the problem. The victim is then asked to “resync” the MetaMask crypto wallet Chrome extension with the MetaMask app. Then the victim is guided to perform the Configuration> Advanced> Sync with Mobile action chain which finally generates a QR code.

See also  World Championship Air Race Officially Launches 2023-24 Race Series, Announces Global Strategic Partnership with iSHANG and Coinstreet on NFTs and Web 3.0 Gaming

Attackers can then take a screenshot of the QR code and use the image to sync the wallet with their own MetaMask app. After syncing, the attackers can freely steal crypto funds from the victim’s wallet.

NFT theft and digital art fraud

What about digital artwork? How do people steal them? When an NFT is minted, the token created is associated with a unique physical or digital object, such as a URL. So when you buy an NFT, you are essentially buying its URL. If you create a fake piece of art, you can sell it linked to a unique URL.

When selling NFTs on many marketplaces, artist verification may not be required. Online art thieves can simply copy, paste, emboss and sell the artwork as their own. A report from the Information Security Newspaper explains that NFT buyers can end up buying illegally copied art. The scam doesn’t stop there. Later, victims may receive a call from a blackmailer threatening to report them for possessing stolen digital assets.

Redline Malware scam

Threat actors can also pose as artists. Through social engineering, these fake patrons set up social media pages and behave as if they collect digital art. The scammers then approach artists and ask them to create something new. Once they get the artist to download malware (via fake contracts, art samples, etc.) attackers can distribute Redline malware.

This attack allows threat actors to steal usernames, passwords, and artwork files stored on device hard drives. Redline can also steal crypto wallet information from browser extensions and wallet.dat files.

See also  Algorand NFT: green projects and copyright

Tweet Theft

Among the wide variety of existing NFT scams, this one is the easiest to pull off. An automated NFT tweet mining bot can automatically convert tweets into NFTs.

Think tweets are worthless? Twitter founder Jack Dorsey’s first ever tweet sold for the equivalent of $2.9 million. If someone posts their artwork in a tweet, attackers can steal it right from under theirs noses. This happened to artist RJ Palmer:

How to improve NFT security

Some ways to increase NFT security include:

  • Use multi-factor authentication for all accounts
  • Learn how to spot phishing attacks and never click or download anything from suspicious or unwanted emails
  • Beware of requests to create new art. Dig into the requester’s background, scour their social media and get references if possible.
  • Use a hardware wallet instead of a software wallet
  • Note that you can use DMCA copyright takedowns if someone steals your art.

The NFT universe is still in its infancy, and the opportunities are growing, as are the risks. For those who participate in NFT investments, it pays to stay up-to-date on security threats.

Freelance technology writer

Jonathan Reed is a freelance technology writer. Over the past decade, he has written on a wide range of topics including cyber security, Industry 4.0, AI/ML…

Related posts:

  1. Ex-OpenSea employee wants first NFT insider trading case thrown out
  2. LA Tech Week: Auction of an NFT from AI LA
  3. What do the short-term technicals predict for Smaug’s NFT (SMG) Monday?
  4. Mintology Announces Launch of New Brand-Centric Demand NFT Platform

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Headline Posts