fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

OpenSea Users Lose $2 million Worth of NFTs in Phishing Attack

OpenSea Users Lose $2 million Worth of NFTs in Phishing Attack

The non-fungible token (NFT) marketplace OpenSea is investigating a phishing attack that left 17 of its users without more than 250 NFTs worth around $2 million.

NFTs represent data stored on a blockchain, Ethereum in this case, that declares ownership of digital files, typically media files of artwork.

Currently valued at $13.3 billion and considered one of the largest in the world, OpenSea is a peer-to-peer NFT marketplace that also enables trading rare digital items and crypto collectibles.

Also Read: Invasion Of Privacy Elements And Its Legal Laws To Comply

Exploiting a migration

Phishing actors are always looking for ways to take advantage of changes that require users to take action and the OpenSea NFT theft is no different.

Researchers at Check Point say in a report today that the phishing actors knew about OpenSea upgrading its smart contract system to purge old and inactive listings on the platform and prepared for the migration with emails and websites of their own.

OpenSea informed its users that they had to update their listings between February 18 – 25 if they wanted to continue using the platform.

To help them in the process, the platform sent all users emails with instructions on how to confirm the migration of the listings.

The phishing actors took advantage of this process and used their own email addresses to send out the message from OpenSea to validated users, tricking them into thinking their original confirmation didn’t go through.

Phishing email sent by the threat actors looks identical to the real one
Phishing email sent by the threat actors looks identical to the real one (Check Point)

The link embedded into the phony email pointed to a phishing website where victims were prompted to sign a transaction, supposedly concerning the migration.

Also Read: 5 Best Practices About Information Retention For Businesses

Original and malicious transaction requests side by side
Original and malicious transaction requests side by side (Check Point)

Instead, the transaction enabled the actor to perform a series of forwarding requests with verified parameters, resulting in passing the NFT ownership to the attacker.

The series of forwarded requests that transfer ownership of NFTs
The series of forwarded requests that transfer ownership of NFTs (Check Point)

As Check Point explains, the actor even executed a dry run back on January 21, 2022, to verify that the attack would work as intended.

OpenSea not compromised

OpenSea was quick to point that the attack doesn’t exploit any vulnerabilities on the platform or its trading systems, but instead relies solely on deceiving users through phishing.

As such, the platform has advised users to remain vigilant and avoid following any links that don’t belong to the opensea.io domain.

Also, the phishing emails were confirmed to originate from outside the platform, confirming that the platform’s email distribution system has not been compromised.

At this time, the attack appears to have stopped, the most recent transaction occurring yesterday.

Keep NFTs to yourself

Signing transactions without paying attention gives others permission to transfer ownership of your digital assets. Requests from the exchange platform excepted, all other transaction requests should be rejected.

If these requests come via emails, you should always verify the sender before taking any action. Ethereum offers a tool to check your token approvals and revoke them if needed.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us