By Cole Adkins, Cofense Phishing Defense Center
OpenSea is a well-known NFT (non-fungible token) platform and is the go-to platform for many entry-level NFT enthusiasts looking to enter the crypto collectible market. However, what if OpenSea itself could be exploited to gain access to new user crypto wallets who are likely unaware of TA (Threat Actor) phishing tactics? Learning to identify these threats can help users who seek to use platforms such as OpenSea keep their crypto wallets safe and feel more secure while navigating the NFT marketplace.
The Cofense Phishing Defense Center (PDC) has identified a devious credential phishing scheme targeting OpenSea users by impersonating the legitimate OpenSea website. The goal of the phishing scheme is to get recipients to connect their crypto wallets to the phishing page, which will drain their wallets. The phish presents itself as an offer on an NFT the recipient has listed on OpenSea, in hopes they will click on it and connect their wallet once redirected.
Figure 1: Email Body
The email in Figure 1 is attempting to appear as though it originated from OpenSea, but looking closely you will find the threat actor is using the address administrator@motordna.io. Most recipients, with a quick glance, might only see an email coming from OpenSea and think to click the “Access Now” button. By branding the email as OpenSea and employing the same email format used for an actual notification from the OpenSea NFT marketplace, the threat actor hopes to ease the recipient’s suspicion so they will click the button in the email body. The email uses social engineering tactics by adding a sense of urgency and excitement that the recipient may have an open offer on an NFT they have listed.
Figure 2: Phishing Page
Upon clicking the button, the recipient is taken to the illegitimate OpenSea webpage in Figure 2. This phish has been carefully crafted and tailored toward users who are familiar with the look of the OpenSea marketplace. The page has been designed in a way to show that an offer has been made on an NFT the recipient owns, and the user must accept it quickly by connecting their crypto wallet, or they might miss their chance.
Figure 3: Phishing Page
Once the user clicks on the “Connect Wallet” button, the threat actor’s goal is almost complete. The recipient is presented with multiple ways to connect their wallet, whether it be via a QR Code or signing in. Once the user has entered their credentials, the threat actor will have control over their wallet and likely any credentials associated with it.
This campaign demonstrates the speed with which tactics are evolving and the increasing use of tailored credential phishing attacks by threat actors within the expanding crypto and NFT landscape. This also highlights why recipients must stay vigilant and up to date with common phishing threats in order to protect their assets. Cofense Managed Phishing Threat Detection and Response (MPDR) solutions can help identify threats such as these and bolster your company’s defenses against phishing attacks and other threats that may arise. The Cofense Phishing Defense Center (PDC) has the tools necessary to help your organization stay ahead of the curve against new emerging phishing campaigns and keep employee personal information secure. Contact us to learn more or schedule a demo.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding the circumvention of end-point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.