Phishing attacks threaten the security of NFT assets

OpenSea, the world’s largest NFT trading platform, quickly fixed a vulnerability that threatened the security of users’ NFT assets. Earlier, some users claimed on social media that the assets in their encrypted wallets were stolen after they obtained free airdropped NFTs through the OpenSea.

Blockchain security company Check Point Research obtained the vulnerability clues from the victims. Researchers investigated and found that there are security vulnerabilities in OpenSea. Hackers may use the vulnerabilities to send malicious NFTs to hijack users’ OpenSea accounts and steal their encrypted wallets.

The security company reported the vulnerability to OpenSea. The two parties worked together to fix the vulnerability at the end of September. The security incident was announced after more than 20 days. OpenSea has created a blog to popularize common sense of decentralized network security to users.

From the point of view of vulnerabilities and attack methods, this is a typical “phishing attack”. This kind of attack is not unfamiliar in the Internet world, but after years of security practices, the Internet has built a certain defense against this, and users also have a sense of defense. . However, in the emerging decentralized network blockchain, the ancient attack method of “phishing” is still rampant and spread to the field of NFT assets. It uses the user’s unfamiliarity with the blockchain infrastructure.

User wallet stolen after receiving NFT airdrop on OpenSea

The theft of encrypted assets that netizens confided on Twitter attracted the attention of blockchain security company Check Point Research (hereinafter referred to as CPR). These crypto asset theft incidents have a common introduction-after users received free NFT airdrops, their wallets were looted.

“When we saw rumors about stolen encrypted wallets on the Internet, we became interested in OpenSea. We speculated that there is an attack method around OpenSea, so we thoroughly investigated it.” CPR’s product vulnerability research director Oded Vanunu recalled his research experience a month ago.

After contacting the victim user and asking in detail, CPR identified a critical vulnerability in OpenSea, proving that malicious NFT publishers can use the vulnerability to hijack the user’s OpenSea account and steal the user’s encrypted wallet.

Phishing attacks threaten the security of NFT assets

Confirmation choices that users may see when viewing malicious NFTs

CPR derives the steps to exploit the vulnerability-hackers create malicious NFTs and present them to the target victim; after the victim views the malicious NFT, the OpenSea storage domain will trigger a pop-up window (such pop-up windows are used in various activities on the platform Very common), request to connect to the victim’s encrypted asset wallet; if the victim wants to get these “free NFTs” to interact with, they have to click “connect wallet”. Once this operation is executed, the hacker will gain access to the victim The authority of the wallet; by triggering other pop-up windows, hackers can continuously steal the assets in the user’s wallet.

Since these pop-ups are sent from the OpenSea storage domain, CPR also locks the source of the platform’s vulnerabilities. If the user does not pay attention to the comment in the pop-up window describing the transaction, they are likely to click the pop-up window, and eventually the entire encrypted wallet will be stolen.

CPR identified and deduced the vulnerability and exploit path, but OpenSea stated in its subsequent statement regarding this vulnerability that it could not determine any instances of exploiting this vulnerability.

CPR said that on September 26, they disclosed the results of the investigation to OpenSea. The other party responded quickly and shared an svg file containing iframe objects from its storage domain. Therefore, CPR can review and ensure that all attack vectors are closed together. In less than an hour, OpenSea fixed the vulnerability and verified the fix.

The OpenSea statement shows that these attacks rely on users to provide signatures for malicious transactions through third-party wallets to approve malicious activities. After fixing the vulnerabilities, they have directly coordinated with third-party wallets integrated with the platform to help users better identify malicious signatures. Requests, and measures to help users prevent scams and phishing attacks. “We also doubled community education around security best practices and launched a blog series on how to stay safe on decentralized networks. We encourage new users and experienced veterans to read this series. Our goal is to make the community more accessible. Able to detect, mitigate and report attacks in the blockchain ecosystem, such as those demonstrated by CPR.”

Don’t easily connect your wallet to an unfamiliar website

This is not the first security incident that has occurred in the field of NFT assets. The victims are not only ordinary users, but are more concentrated among ordinary user groups, because the theft of NFT assets of the platform or the project party will affect ordinary users. Income.

In March of this year alone, there were two episodes of the theft of NFT assets with a high profile.

First, on March 15th, the hot wallet of the social NFT token platform Roll was stolen. Hackers stole part of the NFT social tokens such as WHALE and SKULL from it. Part of the funds were then transferred to the transaction mixer Tornado. According to the analysis, the attacker netted about 5.7 million U.S. dollars in ETH in the process . The price of the affected social tokens dropped sharply.

On March 17, several users of Nifty Gateway, an NFT trading market, suffered account theft. Some victims claimed that hackers stole thousands of dollars worth of digital art from their accounts; other users who were hacked Alleged that the credit card they had on file was used to purchase additional NFTs. Nifty Gateway’s subsequent statement mentioned that the account that suffered account theft did not enable two-factor authentication (two types of information were used to verify their identity, usually a combination of password and dynamic password), and the hacker obtained the authentication information through the valid account. Access rights.

When the non-homogeneous token NFT is increasingly connected to collectibles and valuable crypto assets, the criminal hand of hackers is reaching out to the wallets of NFT holders, which again reflects the blocks on which the NFT rests. The security of the chain network is fragile.

Experienced users have summarized the NFT attack vectors, for example, hackers implanted Trojan horse virus files on your computer to steal your login information and other information; or used malware to record keyboard input and steal your password; or through Malicious software obtains screenshots to obtain sensitive information; hackers may also hijack DNS, create phishing pages, and defraud users’ wallets of mnemonics.

Looking at it this way, these attack methods are not much different from the methods used by hackers to attack the Internet. However, in Internet applications, users have gained some sense of defense from their own or other people’s experience, such as not just clicking on unfamiliar links. However, when using blockchain networks and encrypted wallets, some users have become “common sense zero”. This is related to users’ unfamiliarity with encrypted assets and blockchain foundations, and once again shows that the blockchain infrastructure is becoming popular. The level of immaturity.

It seems that ordinary users can only learn preventive skills from a security incident, and popularizing security knowledge has become one of the work that the encryption community is committed to doing.

NFT creator and collector Justin Ouellette once popularized the protection of NFT assets on Twitter, “Don’t reuse the same password on multiple platforms; learn to enable two-factor authentication; be careful of those who minimize the element. Version of the UI website (often phishing websites and Trojan horse software); do not disclose your mnemonic words to anyone.”

Theft of assets is only one aspect of NFT security. Recently, a research report on NFT by the Blockchain Storage Research Center of Huazhong University of Science and Technology and HashKey Capital Research showed that the NFT system is a technology that integrates blockchain, storage, and network applications, and its security guarantees are challenging. One component may become a security weakness, causing the entire system to be attacked, such as Spooling, Tampering, Repudiation, Information Disclosure, Denial of Service (Dos), and Elevation of privilege) and other aspects are possible risks in the NFT system.

On the road to safety, NFT has a long way to go.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply