How the Bored Ape Yacht Club was probably compromised with a reverse-proxy phishing attack

A phishing link sent from the Bored Ape’s official Instagram account was used to steal $1 million of Bored Ape Yacht Club NFTs recently. Most people can’t figure out how this could happen if the company account was protected by 2FA, so this article is intended to explain how it’s pretty easy for threat actors to steal your 2FA codes with a phishing technique that has been in use by smart hackers for years.

Reverse-proxy phishing

How a reverse-proxy phishing attack works

Typical phishing scams that you probably know about, involve a phishing URL and a counterfeit website. A reverse-proxy phishing scam is different and much worse. Instead of being brought to a fake website, the victim receives authentic content from the legitimate website. The reverse-proxy silently redirects all traffic and everything the user types into the legitimate site to the proxy server.

Credentials and sensitive information such as a password or crypto wallet address entered by the user are automatically passed on to the threat actor. The reverse-proxy also collects 2FA tokens when prompted by the website. Attackers can then collect these 2FA tokens in real-time, to access the victims’ accounts. I suspect this is what happened to a member of the team at the Bored Ape Yacht Club.

A penetration testing tool published in 2019 by a security researcher can automate phishing attacks with an ease that had never been seen before. Named Modlishka — the English pronunciation of the Polish word for mantis — this new tool was created by Polish researcher Piotr Duszyński. When I asked Piotr if this type of attack can bypass any 2FA solution on the market, he said

“Hi Paul, yes. Majority of those currently used, as far as I know. The only resistant 2FA is based on the WebAuthn standard.”

Unfortunately very few people use WebAuthn based 2FA solutions. Unless a security solution can detect the phishing URL, this attack is impossible to stop because traditional network, cloud, and endpoint security relies on the impossible task of detecting millions of new malicious URLs created by criminals every month.

Here’s a video of how it works. Scary stuff!

Marcus Hutchsins is one of the most famous hackers in the world who turned from the dark side to become a white hat — when he brought a stop to the WannaCry ransomware attack. Following the last Twitter hack in which phishing was the entry point, he wrote…

I immediately recognized this as the reverse-proxy phishing technique that I first wrote about in 2019. I asked Marcus to re-confirm my assumptions with a direct question and he didn’t let me down…

Is it possible to stop a targeted reverse-proxy phishing attack?

Yes, but not with traditional security. Zero Trust URL & Web Access Authentication is the ONLY way to stop a reverse-proxy phishing attack because it assumes every URL is dangerous, unless verified. I like to call this — “Trust no URL, always verify”. AI, computer vision, and virtual browsers aren’t effective or reliable because they rely on detecting signs of danger on webpages — remember — the reverse-proxy phishing technique uses the legitimate website, so there are NO signs of danger.

After spending many years studying this subject, I realized that Internet Security is flawed by design — trying to detect and stop dangerous URLs was, and still is, a losing battle. So I asked my team at MetaCert to try a social experiment called “Verified by MetaCert”. When we later discovered the concept of “Zero Trust” we realized that we had in fact, pioneered the concept of Zero Trust for URL & Web Access Authentication. Wired wrote a great article about Zero Trust here.

Both Yubikey and MetaCert offer the same type of security. Unfortunately, Yubikey only provides protection across a few hundred websites and services, and it requires every user to own a hardware device that plugs into your phone or computer. MetaCert on the other hand, is a browser-based security extension that provides protection across 50 billion URLs — but only works on desktop today.