Total Tests:

Crypto-related phishing scams

Professional Security
Wednesday, March 16, 2022

Ekaterina Khrustaleva, COO of application security company ImmuniWeb, pictured, discusses the OpenSea swell of phishing scams washing over crypto platforms, and what traders should know.

The recent theft of $1.7 million in NFTs from users of a popular marketplace OpenSea is an example of how rife crypto-related phishing scams are.

In this case, OpenSea users were hit by a phishing attack, with the attacker managing to steal more than 250 NFTs (non-fungible token) by sending phishing messages masquerading as emails from OpenSea with a link to a phishing website where the users were asked to sign a transaction. After performing a series of forwarding requests, the attacker got ownership of the stolen NFTs.

Sadly, the cryptocurrency world is a ripe target for phishing scams. A well-known cyber threat, phishing has been around for many years now. It usually involves social engineering techniques used by scammers to trick unsuspecting users into submitting personal and financial data, such as login credentials and credit card numbers, by duping a victim into opening an email, instant message or a text message ostensibly sent from a trusted source. It’s not surprising that phishing is constantly growing, as it does not require any advanced technical skills to launch and can bring easy money to cyber criminals pretty quickly.

With cryptocurrency becoming more mainstream, more phishing scams are looking to steal private keys to users’ crypto wallets. Private keys allow users to gain access to funds stored in their crypto wallets.

Since the start of 2021, security researchers have observed the rise in crypto-related phishing websites in certain parts of the world, with the US, Nigeria, and Brazil being the main targets of such attacks. Notable levels of scams were also detected in the UK, France, Russia and India.

Also, our application security experts have warned of an increase in domain squatting and domain names theft, evident as more firms use our free dark web exposure and phishing detection test. Scammers are using stolen or spoofed domain names to impersonate a company or its employees.

Phishing itself is not very dangerous for corporate users. However, when paired with drive-by-download attacks and sophisticated malware (exploit-pack) phishing can get the attackers inside almost any corporate network.

Also, a very dangerous and emerging trend is the combination of phishing and ransomware – many users will not have a choice but to pay a ransom. Recently, researchers have warned of emerging threats on the Web3 (a concept for the next generation of the internet, built around decentralised blockchain technology) landscape, highlighting the need to implement more security into the developing decentralised technology. While some of the new threats look similar to traditional credential-stealing attacks observed on Web2, others are more unique to Web3.

One of these threats is so-called “ice phishing”, which doesn’t rely on stealing users’ private keys, but rather involves deceiving a victim into “signing a transaction that delegates approval of the user’s tokens to the attacker.” Ice phishing allows an attacker to pile up approvals over a period of time and drain the funds from all victim’s crypto wallets quickly. To do this, the scammer only needs to swap the sender address for the attacker’s address. Such attacks can be quite effective because the user interface doesn’t display all pertinent information that can indicate that the transaction has been tampered with.

The main goal of phishing is to defraud victims of money by using various techniques. One of the reasons why the number of crypto-related phishing scams is steadily increasing is that digital assets are more privacy-focused than fiat and this allows scammers to vanish into the night with all stolen funds. Spear phishing, DNS hijacking, and fake browser extensions are among the most common types of crypto-related phishing attacks.

Spear phishing

A 2021 report notes that cryptocurrency-related phishing impersonation attacks grew 192 per cent between October 2020 and April 2021, accounting for 56 per cent of all social engineering attacks observed in May 2021. Phishing impersonation attacks typically involve fake emails posing as messages from a well-known brand or service in order to trick users into visiting a phishing page.

When it comes to the crypto world, phishing emails tend to exploit topics related to digital currency, such as notifications from hardware wallet providers or cryptocurrency exchanges asking users to update their seed phrase or change the password, which would allow an attacker to steal login credentials or funds from a crypto wallet.

Another tactic involves sending fraudulent promotions, as was in the case of cryptocurrency rewards platform Celsius Network. In this attack, a perpetrator sent Celsius users a fake announcement that promoted a new Celsius Web Wallet and offered $500 in the CEL cryptocurrency if users create a wallet and enter a special promo code. The email included a link to a website where users could create a wallet. To do this, victims were asked to link their other online wallets and provide those wallets’ seed phrases, allowing the attacker to steal funds.

As a means of protection from spear-phishing attacks, organizations can implement a variety of measures like staff training to increase employee awareness, and security tools to ensure account-takeover protections.

DNS spoofing attacks

Some phishing schemes are more sophisticated than others, for example, DNS spoofing attacks. This is a common cyber-attack technique where malicious actors hijack legitimate websites and replace them with a malicious interface. To defend themselves from DNS hijacking, website owners should implement precautionary measures, such as installing firewalls, putting measures in place against website cache poisoning, applying fixes for known vulnerabilities, preventing zone transfers.

Fake browser extensions

Browser extensions are widely popular in the cryptosphere, especially browser extension wallets such as MetaMask or Coinbase Wallet. Unfortunately, when something becomes popular, cybercrooks are always quick to take advantage of it to make some (or a lot) of money. In the case of the crypto world, it’s by creating fake extensions that allow stealing funds from users. Masquerading as legitimate extensions, fraudulent wallets leak data entered by users, such as private keys and passwords.

For example, nearly 50 malicious crypto-wallet browser extensions were found in the Chrome web store in 2020 that targeted cryptocurrency wallets from Ledger, Electrum, Exodus, Jaxx, KeepKey, MetaMask, MyEtherWallet, and Trezor.

To avoid such risks when downloading an extension from the web store, users should check its profile page to ensure the plugin has plenty of reviews and comes from a trusted developer, check permissions the extension asks for, and, of course, it is always safer to download an extension directly from its creator’s site.

In conclusion, to combat the rising threat of phishing attacks, organisations should gradually invest in consistent cybersecurity awareness and personnel training. The human factor remains the weakest link but is, however, frequently underestimated by victims. As a matter of technical cyber resilience, assets visibility, continuous security and anomaly monitoring enhanced with agile patch management will prevent the vast majority of problems from a technical point of view. Read Full Article

Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential