A targeted phishing attack against OpenSea users resulted in the theft of NFT tokens valued at approximately $2 million. OpenSea has said that its own email system and platform were not compromised. The attack, as described in detail by Checkpoint security researchers, focused on taking advantage of an announcement that customers were required to migrate accounts on the OpenSea platform. Threat actors were able to send a spoofed email message to customers that informed them that the migration was unsuccessful, and they were required to login to their financial accounts utilizing a new link to the platform. This new link was part of the phishing attack and allowed threat actors to record credentials and tokens that were nearly instantly used via a script to initiate a transfer of NFT tokens to the threat group’s accounts.
Organizations can take advantage of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting & Conformance (DMARC)
in order to help prevent Business Email Compromise (BEC) via the spoofing of sender addresses. The use of authenticated or encrypted email via Public Key Infrastructure (PKI) can also protect against phishing attacks. In addition, organizations can encourage customers to access important accounts with financial information directly from the company website or platform, and not from a link in an email. Finally, organizations should carefully consider the timing of public announcements that can be used by threat groups in social engineering attacks against customers or business partners.