Phishing

Blockchain security firm warns of new MetaMask phishing campaign

Blockchain security firm Halborn has warned users of the latest phishing emails doing the rounds.

A cybersecurity firm has issued warnings over a new phishing campaign targeting users of the popular crypto wallet MetaMask.

In a Thursday post written by Halborn’s technical education specialist Luis Lubeck, the active phishing campaign used emails to target MetaMask users and trick them into giving out their passphrase.

The firm analyzed scam emails it received in late July to warn users of the new scam. Halborn noted that at an initial glance, the email looks authentic with a MetaMask header and logo and with messages that tell users to comply with Know Your Customer (KYC) regulations and how to verify their wallets.

However, Halborn also noted there are several red flags within the message. Spelling errors and a fake sender’s email address were two of the most obvious. Furthermore, a fake domain called metamaks.auction was used to send the phishing emails.

Phishing attacks are social engineering attacks using targeted emails to lure victims into revealing more personal data or clicking links to malicious websites that attempt to steal crypto.

There was also no personalization in the message, the firm noted, which is another warning sign. Hovering over the call to action button reveals the malicious link to a fake website which prompts users to enter their seed phrases before redirecting to MetaMask to empty their crypto wallets.

Halborn, which raised $90 million in a Series A round in July, was founded in 2019 by ethical hackers offering blockchain and cybersecurity services.

In June, Halborn researchers discovered a case where a user’s private keys could be found unencrypted on a disk in a compromised computer. MetaMask patched its extension versions 10.11.3 and later following the discovery.

However, there was no mention of the new email phishing threat on MetaMask’s Twitter feed at the time of writing.

Last week, Celsius users were warned of a phishing threat following the leak of customer emails by a third-party vendor employee.

In late July, security researchers warned of a new malware strain called Luca Stealer appearing in the wild. The information stealer has been written in the Rust programming language and targets Web3 infrastructure such as crypto wallets. Similar Malware called Mars Stealer was discovered targeting MetaMask wallets in February.

Phishing risks escalate as Celsius confirms client emails leaked

It is not the first time Celsius’ customer emails have been exploited and leaked online.

Celsius depositors should be on the lookout for phishing scams after the company revealed some of its customer data had been leaked in a third-party data breach.

On Tuesday, Celsius sent an email to its customers informing them that a list of their emails had been leaked by an employee of one of its business data management and messaging vendors.

According to Celsius, the breach came from an engineer at the Customer.io messaging platform, who leaked the data to a third-party bad actor.

“We were recently informed by our vendor Customer.io that one of their employees accessed a list of Celsius client email addresses,” said Celsius in its email to customers. The data breach is part of the same incursion that leaked OpenSea customer email addresses in June.

Announcement from Celsius: “We are writing to let you know that we
were recently informed by our vendorhttps://t.co/452EROQtbc that one of their employees
accessed a list of Celsius client email
addresses held on their platform and
transferred those to a third-party.”

— Celsians (@CelsiansNetwork) July 28, 2022

Celsius has, however, played down the incident stating that it did not “present any high risks to our clients,” adding that they just wanted users to “be aware.”

On July 7, Customer.io wrote in a blog post that “We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties and provided these email addresses to the bad actor.” The employee has since been terminated.

The number of emails leaked was not disclosed, nor was the platform to which they were leaked.

However, the crypto community has started to warn Celsius users of phishing attacks which usually follow an email data breach.

Phishing is a form of social engineering in which targeted emails are sent to lure victims into revealing more personal data or clicking links to malicious websites that installs malware to steal or mine crypto.

⚠️ Celsius users should expect phishing emails along the lines of “Verify your wallet to withdraw your funds” that will phish for your SRP/PKey due to this

Remember, your SRP should only be known to you and you only https://t.co/QYuDhEE7aL

— harry.eth (whg.eth) (@sniko_) July 28, 2022

A similar data breach in April 2021 saw Celsius customers reportedly targeted by a fraudulent website claiming to be the official Celsius platform. Some received SMS and emails prompting them to reveal personal information and seed phrases.

At the time, the company reported that hackers had gained access to a third-party email distribution system it uses.

Perhaps the most famous crypto data breach was from hardware wallet provider Ledger, which had its servers hacked in 2020. The spewing of thousands of customers’ personal details on the internet resulted in untold losses and even physical threats for many victims, yet the company refused to compensate them.

CertiK shares security tips following third BAYC security compromise in six months

According to CertiK, investors should be highly skeptical of free NFT giveaways, as well as small peculiarities in sites they interact with.

On June 4, the popular nonfungible token, or NFT, project Bored Ape Yacht Club (BAYC) suffered its third security compromise this year. Nearly 142 Ether (ETH) ($250,000) worth of NFTs was stolen after hackers gained access to the Discord account of a BAYC community manager and posted a message with a link to a fake website.

The link advertised a limited-time free-NFT giveaway to users who connected their wallets, which were then drained of NFTs. During two prior occasions in April, hackers breached BAYC’s Discord and Instagram pages and managed to siphon 91 NFTs, worth over $1.3 million at the time of the second attempt, via a phishing link.

As told by blockchain security firm CertiK, hackers quickly moved stolen funds to obfuscation platform Tornado Cash, making it impossible to trace any further flow of funds on the blockchain. In a statement to Cointelegraph, sources at CertiK explained that however legitimate the project may seem, “NFT holders should also be highly suspicious of anyone claiming to offer free assets, as these can often be phishing attacks.” In addition, CertiK wrote:

“In the case of the June 4th attack, the malicious carbon-copy site had some small differences. Firstly, there were no links to social media sites on the phishing site. There was also an added tab titled “claim free land” and specifically targeted popular NFT projects.”

As a precautionary measure, Certik recommended crypto enthusiasts look for subtle peculiarities on such sites, as they are frequently an indicator of malicious activity. “At the very least, users engaging with such giveaways should always make an effort to confirm the legitimacy of the site by comparing it with a known and confirmed site and looking for any discrepancies,” they concluded.

Yuga Labs’ BAYC, OtherSide Discord groups breached, over 145 ETH stolen

According to OKHotshot’s investigations, the attack was conducted by hacking into the Discord account of Boris Vagner, community and social manager at Yuga Labs.

Yuga Labs, the creator of two of the most popular ape-themed nonfungible token (NFT) offerings — Bored Ape Yacht Club (BAYC) and OtherSide — witnessed yet another orchestrated phishing attack, with investors losing over 145 Ether (ETH) or nearly $260,000 at the time of writing.

OKHotshot, a blockchain detective and a member of the Crypto Twitter community, alerted crypto investors about the compromise of two official Discord groups linked to BAYC and OtherSide NFTs.

BAYC & OtherSide discords got compromised‼️

Seems because Community Manager @BorisVagner got his account breached, which let the scammers execute their phishing attack. Over 145E in was stolen

Proper permissions could prevent this pic.twitter.com/lCl2DfZQ0W

— OKHotshot (@NFTherder) June 4, 2022

According to OKHotshot’s investigations, the attack was conducted by hacking into the Discord account of Boris Vagner, community and social manager at Yuga Labs.

After gaining unrestricted access to the employee’s account, scammers shared various phishing links from Vagner’s Discord account into the official BAYC, Mutant Ape Yacht Club and Otherside groups.

*Discord message from hackers with phishing link. Source: OKHotshot*

Many users in the Discord groups, unwary about the ongoing scam, fell for the phishing messages that promised limited-quantity giveaways made available for existing NFT holders — as evidenced by the above screenshot.

Concluding the investigation, OKHotshot revealed the wallets that held and transferred the recently compromised NFTs, making it the second time BAYC fell victim to an attack in as many weeks.

Yuga Labs has not yet responded to Cointelegraph’s request for comment.

On May 25, a Proof Collective member lost 29 high-valued Ethereum-based Moonbirds NFTs worth $1.5 million amid an ongoing scam.

29 Moonbirds were just stolen in a hack.

~750e (~$1,500,000) in value lost by clicking on a bad link.

Sickening seeing stuff like this. Let this be a reminder to never ever click on links and to bookmark the marketplaces/trading sites that you use. pic.twitter.com/7iWO5LMovL

— Cirrus (@CirrusNFT) May 25, 2022

While the total damage around this hack remains unclear, the recent crypto scams are a harsh wake-up call for NFT owners to exercise caution when dealing with third-party platforms and to double-check anything shared by others, even if they appear trustworthy.