Immunefi’s Guide to Crypto Phishing Attacks (and the Hackers Who Plot Them)
When it comes to crypto hacks and heists, blackhat hackers favor phishing attacks as their main intrusion vector. This trend is unsurprising, as 90 percent of all cyberattacks begin with a phishing email, according to a recent report from cybersecurity firm Trend Micro.
Ransomware attacks in particular are often staged via malicious phishing emails. But in the Web3 ecosystem, the specialized attack that prevails is known as ‘credential’ phishing. Credential phishing is an attack vector where blackhats use imposter websites and applications to harvest accounts from misdirected victims.
In 2021, credential phishing accounted for 38% of all phishing attacks detected by Trend Micro’s Cloud Security App, according to their report. For crypto users, credential phishing manifests in the form of knockoff webpages, apps for crypto exchanges, and DeFi protocols that dupe users into surrendering their private keys and seed phrases or transferring crypto and NFTs to thieves.
These fraudulent transfers are typically executed via malicious auto-withdrawal scripts. In fact, blackhats promote these hacking services on various Russian cybercrime forums. See the screen captures below from June, translated from the original Russian text.
In this guide, Immunefi will review some of the most sophisticated phishing attack trends and translate the blackhat chatter emanating from the Russian dark web.
The most audacious and lucrative Web3 phishing-led heist to date involved the North Korean Lazarus Group’s successful deception of a senior dApp engineer after messaging them on LinkedIn with an employment recruiting pitch and conning them to apply for a fake job.
The targeted dApp in question was Axie Infinity. Its compromise resulted in an all-time-record $620 million crypto heist. After the engineer engaged with the faux job recruiters and went through multiple rounds of interviews, they landed the ‘gig’ and received an “extremely generous compensation package,” according to The Block.
Lazarus Group hackers emailed the engineer their job offer in a PDF attachment that contained a malicious spyware application. Once the target opened the PDF, the spyware was unleashed, enabling the intruders to conduct the necessary network reconnaissance that ultimately facilitated the Ronin validator node takeover and crypto robbery of the century.
The emerging appeal of LinkedIn to adversaries is not unique to the Web3 industry, nor North Korean hackers. An April Q1 2022 “Brand Phishing Report”, authored by cybersecurity firm Check Point, found that LinkedIn had become the most popular brand portal for targeting victims.
A report from Bloomberg found that not only are North Korean hackers duping engineers into opening malware-ridden PDFs on the pretense of accepting a job, but they are also applying for smart contract engineering jobs using fake LinkedIn profiles, in order to get special access to repositories and a vantage point from which to socially engineer fellow employees.
Bored Ape Yacht Club Hack — April 2022
This past April, an unknown blackhat hacked into Bored Ape Yacht Club’s official Instagram account and Discord server and sent all their followers a link to a malicious smart contract that purported to be a ‘mint’ related to an upcoming Yuga Labs (BAYC’s creators) NFT land sale.
In reality, this mint link was coded to enable the theft of NFTs from victims’ wallets. Initially, the hacker’s reported haul was 54 BAYC NFTs: 24 Bored Apes and 30 Mutant Apes. But a spokesperson for NFT development firm Yuga Labs later clarified in an interview CoinDesk that “estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m.”
The most sophisticated aspect of this phishing/crypto-stealer attack is that blackhats were able to compromise legitimate NFT developer social media accounts to deceive and rob their followers and community members out of millions worth of tokens.
The lesson for NFT collectors is to always cross-reference official mint announcements across all of an issuing developers’ social media accounts, before participating in any transaction. If an account manager is careless with their email or DM hygiene, it’s easy for an adversary to compromise one or two social media channels. Regardless, it never hurts to double-check across all official channels.
Immunefi recently released a report on the BAYC collection, finding that hackers have stolen approximately $13m worth of Bored Apes via phishing, malware, and other attack vectors.
BAYC can at least take some comfort in the fact that they are not alone in this respect. Last month, TRM Labs security advisor @zachxbt tweeted a complete list of all of the significant NFT developers and issuers who have had their accounts compromised, resulting in a combined millions worth of losses to their collectors.
PancakeSwap DNS Hijack — March 2021
Last March, decentralized exchange (DEX) PancakeSwap was targeted by an attacker who managed to successfully gain access to their GoDaddy account and seize their DNS (Domain Name Servers) credentials. DNS is an indexing system that assigns web domains to their respective IP addresses.
The attacker hijacked PancakeSwap’s domain by tricking domain registrar GoDaddy into giving them access to the DEX’s account, according to an official incident report published by the platform.
It was never revealed exactly how the attackers socially engineered their way past the domain registrar. But after hijacking the DEX’s DNS, the attackers then redirected the official URL to a counterfeit PancakeSwap site that tried to trick users into entering their wallet’s seed phrase.
Fortunately, PancakeSwap’s contracts were not affected by the DNS takeover, and the attack was only limited to the website’s front-end. Still, the damage could have been far worse. DNS hijacking is one of the most persistent attacks, according to a 2021 study by the Neustar International Security Council (NISC).
72% percent of the organizations surveyed by NISC reported being targeted in a DNS attack through the 12 months trailing last September. Given rising blackhat focus on crypto platforms, Web3 projects must continually ensure that their DNS posture is secure.
Twitter Phishing Bots — December 2021
Last September, Bleeping Computer reported about a scam involving chatbots that mimic support accounts for popular crypto wallets like MetaMask and TrustWallet. These bots exploit Twitter’s API to monitor all public tweets for specific keywords and phrases to send targets DMs with scam links within seconds of their tweets posting.
If the bots detect a hit on keyword, writes Bleeping Computer, “these same programs will direct Twitter bots under the scammer’s control to automatically reply to the tweets as fake support agents with links to scams that steal cryptocurrency wallets.”
The security community — and most active Twitter users in crypto — have known about these bot scams for over a year, but they continue to expand to include new crypto wallets and service providers, primarily targeting new and unsophisticated users.
“In tests conducted by BleepingComputer, tweets containing the words ‘support,’ ‘help,’ or ‘assistance’ along with the keywords like ‘MetaMask,’ ‘Phantom,’ ‘Yoroi,’ and ‘Trust Wallet’ will result in almost instantaneous replies from Twitter bots with fake support forms or accounts,” said the report.
Russian Cybercrime Forum Chatter
Immunefi combed some of the most popular Russian-language cybercriminal forums to see the types of crypto attack vectors being discussed. The vast majority of the criminal service offerings being solicited are crypto stealers like Eternity.
Eternity Stealer is a malware application that boasts the capability of swiping user credentials from the following cold wallets: Atomic, Binance, Coinomi, Electrum, Exodus, Guarda, Jaxx, Wasabi, Zcash, BitcoinCore, DashCore, DogeCore, LiteCore, and MoneroCore.
Beyond Eternity, there were other interesting posts, including a MetaMask NFT stealer:
A service that claims the ability to create scam tokens that can be listed on PancakeSwap:
Providers who claim expertise in Google AdWords to drive traffic to scam sites:
Whitepaper contests for novel DeFi exploits and vulnerabilities:
Job postings for blackhat “smart contract hackers”:
And posts advertising interest in purchasing blockchain vulnerabilities:
What You Can Do
Sophisticated social engineering and phishing attacks don’t look like cheap scam emails from PayPal or Amazon that never even make it into your inbox. Not in our corner of the internet. Since DeFi regularly involves hundreds of millions (and even billions) of dollars, the blackhats attracted to this field are smart and serious.
The first step to protecting yourself both as users and maintainers of DeFi projects is to take the threat seriously. Once you take the threat seriously, there are plenty of other things you can do to protect yourself if you’re an individual or your project and users if you’re a developer.
- Keep up to date on the latest hacks and infiltration attempts in the space, so you know what to look for. DarkReading is a good source. Attack attempts won’t be as simple as an obvious scammer sending you a weird, random email, asking you to click on a suspicious-looking link. Blackhats will always try to build a connection and a relationship with you, so that they have a pretext for sending you a link or some kind of file they want you to click on. Be wary of social engineering attempts that lead to phishing, rather than just direct phishing attempts out of the blue.
- Be aware that you may be targeted by sophisticated state-sponsored hacking groups, like the Lazarus Group run out of North Korea. These groups have serious time to put into social engineering and phishing attempts, so don’t assume that all hostile social engineering or phishing attempts on you or your project will be simple or obvious. They could involve job interviews, job offers, collaborations, in-person events, etc.
- Talk to your friends and team members about social engineering and phishing scenarios as you hear about them in the news. Sharing information about novel social engineering and phishing attack vectors makes it less likely that your friends or team members will fall victim to an attack. It is not enough that you are personally secure. Everyone on your team has to be secure. Take note that sometimes hackers will compromise your friends in order to get to you.
- It’s important to remember that some social engineering may take place in the physical world as well. It does not take much personal information to find your physical location. Make sure that when you leave the house, your doors are locked and your devices are password-protected. If you would feel more comfortable with a home security system, purchase one.
Information security best practices
- Do not download and open PDF/Word/executable documents or files on your computer that are sent directly to you. Blackhats may be able to own your machine with a single click. You can preview PDF/Word documents safely in Gmail, or you can also open them on a sandboxed virtual machine. If you’re suspicious of a particular file, you can upload it to Virus Total for further analysis. When you download it in order to upload it to Virus Total, do not even click on the file to preview it, as that could possibly result in a script being executed on your machine as well.
- If you open suspicious files, be ready to wipe your machine clean — and quickly. Regularly make full backups so you can restore your machine to an earlier state and have your sensitive, must-have files in an encrypted cloud backup or an encrypted external hard drive, so if you need to wipe your machine, you can do it quickly. Every 6 months, run an internal scenario drill where you or one of your team members has a compromised machine, and you need to lock it and/or wipe it clean.
- Use password managers to manage your logins, and separate your personal password manager from your work password manager.
- Be careful about using public wifi networks, and always use a VPN. With VPNs, you can modify the settings, such that if your VPN goes down, you don’t just automatically revert back to using regular wifi, whether your personal wifi or airport/coffee shop wifi. Consider running your own VPN using open source software on a private cloud server.
- If you’re running a project with a large amount of funds locked up in smart contracts, you must have separate work equipment firewalled from your personal equipment. Have a separate work phone and work computer and watch out for contamination between work and personal devices.
- Check in with your team several times a year to make sure that everyone is following basic security practices laid out in this guide.
- Take this quiz from Google to see if you can spot phishing attempts.
With Web3 adversaries on the prowl, defenders need to step up to the plate. Everyday users, meanwhile, need to be alert and understand that they cannot fully trust any link, user, or website. The lesson here is to stay vigilant and verify the integrity of every counterparty they interact with online.