NFT platform, OpenSea, is currently investigating a large phishing attack after seventeen of its users lost more than 250 NFTs — worth approximately $2 million.
OpenSea, which recently hit a staggering $5 billion in monthly sales, stated that the attack did not exploit any vulnerabilities on their platform. Instead, it was a classic case of social engineering: deceiving users via phishing emails. OpenSea has warned users to remain vigilant. More importantly, customers should not click on any link that doesn’t belong to the opensea.io domain.
The attackers were reportedly aware of an upcoming OpenSea update that was scheduled for February 18th – 25th. They knew that the company would be sending out emails with instructions on how to handle the process. Therefore, the attackers prepared fake emails and websites of their own.
The emails were then sent to customers who unknowingly clicked on the malicious links. Unfortunately for them, doing so allowed the attackers access to a number of forwarding requests with verified parameters. As a result, the NFTs could be passed on to the attackers.
In a Twitter thread, Devin Finzer, (OpenSea co-founder and CEO) has provided further information on the hack:
In Other NFT Scam News
Example Phishing Emails
Here at Trend Micro, we’ve been reporting for a while on NFTs and the related scams that target customers. Do check out this article for a comprehensive overview: “What Are NFTs? 5 Common NFT Scams & 9 Safety Tips 2021”. And head over here for a useful list on fake crypto sites and platforms.
Our researchers, hard at work keeping our readers & customers safe and secure, have found two more crypto-related phishing scams. One concerns MetaMask, and the other Trust Wallet. Keep an eye out for malicious phishing emails — when in doubt, contact these platforms directly via their support page.
Example Phishing Pages
As ever, if you’ve found this article an interesting and/or helpful read, please do SHARE with friends and family to help keep the online community secure and protected.
Check out Trend Micro ScamCheck — an all-in-one browser extension used for detecting scams, phishing attacks, malware, and dangerous links — it’s FREE! After you’ve pinned ScamCheck, it will block dangerous sites automatically! It is now available on Safari, Google Chrome, and Microsoft Edge.