In early June, a targeted phishing campaign targeted the creators of NFTs. The goal? Steal the credentials of their cryptocurrency wallets and steal the contents.
” We suggest you beta-test the new features dedicated to NFTs of our photo editor, and we will pay you for this (in ETH) of course. “. Here is the kind of message received by several creators of NFT (non-fungible tokens) at the beginning of June.
They hide a targeted and personalized phishing campaign, the purpose of which is to infect victims’ computers with malware. According to researcher Bart Blaze, whose work was spotted by The Record Media, cybercriminals are using a version of Redline, an “infostealer” discovered in March 2020.
As its name suggests, the infostealer allows, once deployed on the victim’s computer, to steal:
- Usernames and passwords stored on browsers.
- Information about the computer and the operating system.
- Above all, the login information for cryptocurrency wallets. Usually, they are saved in chrome extensions or dedicated files. Redline can search more than 12 different types of wallets, and thus covers the most used services on the market. Otherwise, it can also record the keystroke of the victim.
The thugs masquerade as real, but little-known companies, or as wealthy individuals. Then, they canvass the artists on Twitter, Instagram or by email, for alleged proposals for paid partnerships, or for false commission requests.
Their objective ? Download and then execute a file that embeds the Redline malware. They claim that it is the software to be tested, a draft of the requested work, or even a payment schedule. The artist FVCKRENDER was for example tricked by a private message sent to Twitter by the user “Ha Chon-Chee”, an alleged Korean who works for a collector: ” My boss wants to buy you digital art […] We have ideas on what paint we want and we have drawn a sketch. We can send it to you for you to see what kind of painting we want “. The artist was surprised that the file of the draft does not display it. Shortly after, he discovered that his wallet had been emptied of 40,000 AXS (Axie Infinity, a cryptocurrency) or about 137,000 euros.
Cybercriminals want to profit from the popularity of NFTs
The creators of NFT have very interesting victim profiles for thugs. Although recently in “dramatic decline”, NFT sales amounted to more than $ 2 billion in the first quarter of 2021, and inevitably, some creators have their pockets full. In addition, the sellers of these tokens are much more likely than the rest of the population to hold cryptocurrencies in large quantities, due to their interest in blockchain-related technologies.
Finally, unlike traditional bank fraud, emptying a cryptocurrency account leaves few traces. The criminals are more likely to leave with the loot without being pursued by the police.
Have you been targeted by a similar phishing? Tell us about your mishap to francois.manens@humanoid.fr
The modus operandi used against the creators of NFT is reminiscent of the one used to trap Youtubers. Deceived by detailed messages and a particularly reactive interlocutor, the victims do not see certain warning signs. For example, in this campaign, the cybercriminals hide Redline in a .SCR file, the format of Window’s screensavers. These files take care of putting the computer screens to sleep. In other words, there is therefore no legitimate scenario in which a company would download this type of file to a partner.
Other indicators such as the low number of subscribers of the interlocutor, his absence on other social networks or the amount proposed for the partnership – without signing a contract – allowed certain targets of the scam to escape. However, the cybercriminals have well planned their attack: the file containing Redline is artificially enlarged by unnecessary lines of code to avoid antivirus scans. This is a fairly widespread method, which Cyberwar had already observed on malware intended for YouTubers.
