OpenSea, a non-fungible token (NFT) marketplace, is examining a phishing attempt that resulted in 17 of its users losing over 250 NFTs valued at approximately $2 million.
NFTs signify data kept on a blockchain, such as Ethereum, that certifies ownership of digital files, generally artwork media assets. OpenSea is a peer-to-peer NFT marketplace that allows traders to trade rare digital products and crypto collectibles. It is presently valued at $13.3 billion and is regarded as one of the largest in the world.
Phishing attackers are constantly seeking new methods to exploit changes that force users to respond, and the OpenSea NFT theft is no exception. According to Check Point researchers’ report, the phishing actors were aware that OpenSea was upgrading its smart contract system to remove old and inactive listings on the platform and arranged for the migration with their emails and websites.
Users of OpenSea were notified that they needed to update their listings between February 18 and February 25 to continue accessing the site. To assist them, the platform sends out emails to all users with advice on confirming the listings’ transfer. The phishing actors took advantage of this procedure and sent the message from OpenSea to authenticated individuals using their email addresses, tricking them into thinking their original confirmation had failed.
The phishing email included a link to a phishing website where victims were asked to sign a transaction ostensibly related to the migration. Instead, the transaction allowed the actor to issue a series of forwarding requests with confirmed parameters, allowing the attacker to take control of the NFT. According to Check Point, the actor even conducted a practice run on January 21, 2022, to ensure that the attack would function as planned.
The attack, as per OpenSea, does not exploit any weaknesses in the platform or its trading systems, instead of relying only on phishing to deceive consumers. As a result, the platform has encouraged users to avoid clicking on any links not associated with the opensea.io domain. The phishing emails were also proven to come from outside the platform, indicating that the site’s email distribution mechanism was not hacked. The attack appears to have ceased at this time, with the most recent transaction occurring yesterday.
When you sign transactions without paying attention, you’re permitting people to take control of your digital assets. All other transaction requests should be refused, except those from the exchange platform. If these requests arrive in the form of emails, you should always double-check the sender before acting. Ethereum has a tool that allows you to verify your token approvals and cancel them if necessary.