A recent malware campaign that targeted online artists with a lure about lucrative nonfungible token (NFT) projects is a good indication of how threat actors are capitalizing on the snowballing interest in digital goods — and it has implications for the growing number of corporate brands trying to ride the NFT wave, too.
The campaign, which researchers from Malwarebytes observed, involved messages purporting to be from NFT project Cyberpunk Ape Executives. These were sent to digital art creators on online platforms such as DeviantArt and Pixiv, and they invited the recipients to work with the people behind the Cyberpunk Ape project to create new NFT characters. They also promised them $350 per day by way of compensation.
A link in the message directed recipients to more information about the project. When users clicked on it, they were sent to a site that downloaded multiple images of apes that purported to be examples of NFTs from the project. One of the images was an executable file, which when opened infected the user’s system with an information stealer.
Malwarebytes said it observed several account holders on platforms such as Pixiv and DeviantArt complaining about their accounts being used to spam others with messages about the same Cyberpunk Ape Executive NFT project. Malwarebytes said it couldn’t confirm if the information stealer itself was responsible for the account hacks or if some other form of phishing was involved.
NFT-Related Cybercrime: A Rapidly Growing Threat
The campaign is one in a rapidly growing number of NFT-centric attacks, security researchers say. Most of them, for the moment at least, are aimed at people working directly in the NFT space, says Chris Boyd, lead malware intelligence analyst at Malwarebytes. “However, as more mainstream businesses adopt NFT projects or look to get involved with blockchain, it will quickly become a concern across more traditional industries,” he predicts.
Analyst firms such as Gartner and Forrester already predict a world where NFTs will play a crucial part in enterprise strategies over the next few years. Gartner included NFTs in its 2021 hype cycle for emerging technologies, and it has described them as one of the technologies that could have the most significant impact on business and society over the next 10 years. The analyst firm expects NFTs will play a fundamental role in an emerging metaverse where organizations try to provide better engagement, collaboration, and connection with employees and others through immersive virtual workplaces.
Forrester also has pointed to organizations such as insurance firm State Farm jumping into the NFT space with a football-themed treasure hunt as an example of how a quickly growing number of enterprises are experimenting with nonfungible tokens.
Harvard Business Review earlier this year described initial enterprise efforts around NFTs as focused on launching their own digital collectibles — such as Campbell’s soup can art. HBR predicts that in the next few years, NFTs could become the “central digital touchpoint” between enterprises and their customers.
A Variety of Attacks
Boyd says Malwarebytes researchers have been observing a variety of NFT and cryptocurrency threats daily.
“The most common attacks try to trick cryptocurrency enthusiasts into handing over their wallet’s recovery phrase,” he says. Users who fall for the scam often stand to lose access to their funds permanently, he says. “Bogus Airdrops, which are fake promotional giveaways, are also common and ask for recovery phrases or have the victim connect their wallets to malicious Airdrop sites, he adds, noting that many fake Airdrop sites are imitations of real NFT projects. And with so many small unverified projects around, it’s often hard to determine authenticity, he notes.
Oded Vanunu, head of product vulnerability at Check Point Software, says what his company has observed by way of NFT-centric attacks is activity focused on exploiting weaknesses in NFT marketplaces and applications.
“We need to understand that all NFT or crypto markets are using Web3 protocols,” Vanunu says, referring to the emerging idea of a new Internet based on blockchain technology. Attackers are trying to figure out new ways to exploit vulnerabilities in applications connected to decentralized networks such as blockchain, he notes.
Over the last few months, Check Point Research has observed attacks that try to trick the user to provide NFT platform or wallet access, and those that target NFT marketplace vulnerabilities to access NFTs belonging to digital artists.
Check Point has also observed attacks involving the use of malicious NFTs to exploit platform vulnerabilities, Vanunu says. He says organizations that hold NFT assets or crypto assets need to be aware of these threats. Enterprise users who access NFT marketplaces using their company-issued device could also put their organizations at risk, he says.
The increase in NFT-centric scams also shows how attackers are leveraging the new and relatively unknown in attacks against victims, notes Hank Schless, senior manager security solutions at Lookout. Many are purchasing NFTs with cryptocurrency without fully understanding the underlying mechanisms, he says. For example, “people who are new to NFTs might not understand how to validate that the digital asset they’re looking at is the real thing,” he says.
Attackers can take advantage of this lack of knowledge to trick people into bidding on fake NFTs, for instance. This can especially be an issue with more expensive NFTs, where a principal bidder or purchaser might offer fragmented ownership of an NFT to a large group of buyers.
“These group purchases are usually coordinated over social-media platforms like Twitter, Reddit, and Discord, which give an attacker access to a large number of potential victims,” Schless says. While most NFT scams continue to be consumer-focused, an attacker could easily use an NFT lure to deliver malware to a corporate device and gain access to corporate data, he says.
Check Point’s Vanunu says it’s time for organizations to improve user awareness around NFT-centric threats. Organizations with an NFT platform or crypto wallet should enforce multifactor authentication for accessing them, for one. He also recommends that they use two wallets: one that is cold — or offline — for holding all digital asses, and one just for trading with low amounts.
That way, he says, “in case of exploitation, hackers will not be able to hijack too much.”