Blockchain & Cryptocurrency , Breach Notification , Cryptocurrency Fraud
Scammers Impersonate OpenSea Customer Support
Attackers Socially Engineer Digital Asset Holders on DiscordUsers of OpenSea, a marketplace for blockchain-based digital assets, are being targeted by scammers who are impersonating the company's support staff in order to steal digital assets such as cryptocurrency and non-fungible tokens.
See Also: Gartner Guide for Digital Forensics and Incident Response
Digital artists can use OpenSea to store, buy and sell NFTs. OpenSea user and artist Jeff Nicholas, who fell victim to this scam, tweeted the attackers stole digital assets he held as well as 4.5 ether - which is worth about $14,600 - from his Ledger hardware wallet.
The problem revolves around OpenSea using the Discord chat platform for customer support, tweets Sean Bonner, who is a photographer and associate professor at Japan’s Keio University.
"The way this attack is happening is people are being told to go to the OpenSea Discord and post their support ticket, attackers are monitoring these channels and then contacting people posing as OpenSea support, armed with info about their support claim," Bonner tweets.
OpenSea recently surpassed $1 billion in monthly trading volume, according to data compiled by The Block in August.
Disabling Services
Nicholas says he was targeted after threat actors impersonated an OpenSea support employee. The fake representative tricked him into inadvertently enabling access to his MetaMask wallet, leading to the loss of cryptocurrency and NFT collectibles stored there.
Nicholas posted an in-depth thread describing how he was duped.
Today has been rough. While I’m currently feeling a little better, I want to get in front of this & explain what happened last night as a cautionary tail for anyone - whether noob or seasoned vet - because I believe this can happen to anyone if ur guard is down like mine was.1/27
— jeffnicholas.eth (@_jeffnicholas_) August 25, 2021
MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallets through a browser extension or mobile app, which can then be used to interact with decentralized applications.
Nicholas told Bleeping Computer how he was scammed. The threat actors asked him to share his screen, and he was told to resync the MetaMask Chrome extension with the MetaMask mobile app.
In order to sync a mobile MetaMask wallet with Chrome extension, a user has to go to settings, and a sync with mobile option appears. That then prompts for a password and a QR code. Any attacker can easily take screen grabs for further exploitation.
The mobile MetaMask app can scan this code and import the victim's Chrome wallet automatically. Once the threat actors scan this QR code, they have full access to the cryptocurrency and any NFT collectibles stored within it.
Nate Chastain, OpenSea's head of product, tweeted: "Saddened to hear an OpenSea user was the victim of a significant phishing attack last night. The scammer masquerades as an OpenSea employee and has the user scan a QR code granting wallet access. Please be vigilant and direct support requests through our Help Center/ZenDesk."
Chastain said the MetaMask team will be temporarily disabling the mobile QR code sync feature to defend against phishing attacks that have become more prevalent in recent weeks.
A spokesperson for OpenSea was not immediately available for further comment.
Discord: Not for Sensitive Customer Support
Roger Grimes, who is a data-driven defense evangelist at the security firm KnowBe4, says NFTs are frequently targeted by thieves.
"It's not surprising that social engineering is the primary way these value tokens are being stolen," Grimes says. "Social engineering has always been the number one way malicious digital crime happens, whether or not Discord and NFTs are involved."
Bonner says that to help ensure other users are not duped by fake support on Discord, OpenSea should stop directing any support to Discord and shut down those channels.
"Additionally, they should refund the stolen ETH [Ethereum cryptocurrency] and market value of the NFTs stolen," Bonner says.