Blog Layout

NFTs: The growing cybercrime risks and how to avoid them

Mar 30, 2022

One lesser-known aspect of non-fungible tokens is their vulnerability to cybercrime. Learn how you can protect yourself and your company from the potential risks of NFTs.

 

Non-fungible tokens (NFT) are a trendy topic in the blockchain world, but they’ve reached a wider audience and are gaining popularity with individuals and corporations, too. Unfortunately, NFTs are a tempting target for cybercriminals. How can attackers benefit from NFTs and what measures can you take to avoid becoming a victim? Read on to find out.

What are NFTs?

Non-fungible tokens are data existing in a blockchain that can be sold or traded. This data can be associated to photos, videos, documents or any other kind of file you might think of.

Each NFT is unique, and one of the main reasons for owning it is that it guarantees the authenticity and uniqueness of the file it relates to. In other words, a proof of ownership. NFTs can be bought or traded on various dedicated marketplaces.

While it might sound like an incredible opportunity to be able to sell a GIF file for hundreds of dollars, “minting” (the word used for creating an NFT in the blockchain) NFTs can involve a significant cost — although that can vary depending on the blockchain used. Also, there may be misconceptions amongst those buying NFTs. A lot of people think they are purchasing the asset itself rather than just the token.

NFTs for business purposes

Companies have started using NFTs for several reasons , in addition to their being “the thing to have” in recent months. Some companies associate NFTs and physical goods. It is possible to sell a real item together with its token, as, for example, Nike has done with sneakers.

NFTs can also be sold by companies to virtual audiences. For instance, clothing companies might create virtual items and sell them in virtual world markets. And NFT creators can benefit from future item sales, as companies can ask for a percentage of future profits and program the functionality into the NFT.

NFTs may help in the fight against counterfeit products, as well. An NFT minted by a company and provided when selling the product guarantees it comes from them and is not a counterfeit.

Finally, supply chain management can make good use of NFTs, as product traceability and origin are a popular use case of blockchain technology.

NFT and cybercrime

Considering the amount of money that has been and is currently being injected into NFTs, it is inevitable that cybercriminals are seeking new ways to make easy money with them.

Fake NFT selling

One of the first ideas occurring to fraudsters with a low knowledge of computers involves taking any item that is not theirs on the internet (e.g., a video or a picture) and selling it on marketplaces by making people believe it is legit.

Account takeover

In March 2021, NFT marketplace Nifty Gateway reported such action against some of their users. Victims claimed they either had their NFT art stolen or NFTs purchased and then stolen using their credit card information. The NFTs were then sold again. These users learned a lesson the hard way: It wouldn’t have happened if they’d activated 2-factor authentication (2FA) on their account.

Private key theft

Like any other cryptographic coin or token, an NFT is controlled by a private key. Depending on the services the NFT owner uses, they might store this private key themselves, or have it stored by an online marketplace they use. In both cases, that private key might be stolen if an attacker manages to compromise the system that stores it. Malware that steals Bitcoin wallets has been around for some time already, as has malware that steals NFTs.

Fake marketplaces

It’s possible for cybercriminals to fully create a website from scratch, put fake NFTs on it, pretend to be a new legitimate marketplace, and hope people will come and buy. Yet the most common scheme consists of building fake websites that are visually an exact copy of a legitimate one ( Figure A ) and use social engineering methods to bring people to it.

 

Figure A

NFT crime figure A
The legitimate Snowbank marketplace and its fake version. Source: Morphisec

Users might be guided to the fake website by email impersonating the legitimate marketplace or be approached on applications like Discord, where it is easy to find NFT-related channels and people. Cybercriminals might also compromise legitimate accounts from the marketplaces and use it to spread links to their fake websites. This has been done against the Fractal NFT marketplace, for example, whose official Discord bot got compromised and started sending a fake link to more than 100,000 users ( Figure B ).

Figure B

NFT crime figure b
Private message in Discord, enticing a user to download a malicious application. Source: Morphisec

Malware

Trojan malware can easily steal data from compromised computers. This may include private keys to NFTs or wallets. Users might get compromised by such malware via phishing campaigns or malicious websites, or through direct messaging in specialized channels.

Recently, security company Morphisec exposed the case of a malware purposed for data theft, which was spread via Discord bots. Those bots were sending private messages to Discord users, pretending to be coming from legitimate NFT communities. The messages invited the users to download a new application from an official-looking website set up by the attackers. The victims, clicking on the link and downloading the malware from what seemed to be a legitimate website, could not tell that something was going wrong. Once the victims were compromised, the attackers could steal data and grab any wallet or private key.

SEE: Quick glossary: Blockchain (TechRepublic Premium)

How can a user or a company safely use NFTs?

There are measures you can take to help protect yourself and your organization, including the following security steps:

  • Always activate 2-factor authentication (2FA) to access NFT marketplaces.
  • If possible, use a hardware wallet rather than just storing your wallet on your computer or phone.
  • If your wallet is stored on your computer or phone, have it stored encrypted, with the passphrase not being written in any file.
  • Do a background check on who you are buying NFTs from. If the user has no reputation or trace on social networks, you might want to reconsider buying from them.
  • Double-check any email or message you get from a supposed legitimate marketplace or its administrator. If there is a link to click, do not click it — go straight to the website without using the link, and find the related information. You might also have the link analyzed first by your IT department to be sure it is not leading to a fake website or a malware.
  • The usual computer security recommendations are still helping: Always have all your software up to date, your systems and servers patched, and have security solutions in place to detect malware and fake URLs.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Security Lapse by Microsoft Employees Exposes Internal Passwords

26 Apr, 2024
In continuation of Microsoft’s series of data security incidents, employees accidentally exposed internal data to the public. The leak exposed an unprotected Azure storage server containing code, scripts, and configuration files. Microsoft has announced that it has fixed a security breach that exposed internal company credentials and files to the open internet. The breach was first discovered by security researchers from cybersecurity firm SOC Radar. According to their report, an internal error resulted in an Azure storage server without password protection being given public access. The exposed data was primarily related to Microsoft’s Bing search engine, including configuration files, code, and scripts that employees used to access a range of internal systems and databases. Consequently, bad actors could identify and access locations for Microsoft's internal data. So far, it has not been made clear how long the data has been exposed. Anuj Mudaliar Assistant Editor - Tech, SWZD opens a new window opens a new window Anuj Mudaliar is a content development professional with a keen interest in emerging technologies, particularly advances in AI. As a tech editor for Spiceworks, Anuj covers many topics, including cloud, cybersecurity, emerging tech innovation, AI, and hardware. When not at work, he spends his time outdoors - trekking, camping, and stargazing. He is also interested in cooking and experiencing cuisine from around the world.

AT&T experienced data breach that impacted 51 million customers (No one is immune)

26 Apr, 2024
AT&T is notifying 51 million former and current customers, warning them of a data breach that exposed their personal information on a hacking forum. However, the company has still not disclosed how the data was obtained. These notifications are related to the recent leak of a massive amount of AT&T customer data on the Breach hacking forums that was offered for sale for $1 million in 2021. When threat actor ShinyHunters first listed the AT&T data for sale in 2021, the company told BleepingComputer that the collection did not belong to them and that their systems had not been breached. Last month, when another threat actor known as 'MajorNelson' leaked the entire dataset on the hacking forum, AT&T once again told BleepingComputer that the data did not originate from them and their systems were not breached. After BleepingComputer confirmed that the data belonged to AT&T and DirectTV accounts, and TechCrunch reported AT&T passcodes were in the data dump, AT&T finally confirmed that the data belonged to them. While the leak contained information for more than 70 million people, AT&T is now saying that it impacted a total of 51,226,382 customers. "The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode," reads the notification. "To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier." BleepingComputer contacted AT&T as to why there is such a large difference in impacted customers and was told that some of the people had multiple accounts in the dataset. "We are sending a communication to each person whose sensitive personal information was included. Some people had more than one account in the dataset, and others did not have sensitive personal information," AT&T told BleepingComputer. The company has still not disclosed how the data was stolen and why it took them almost five years to confirm that it belonged to them and to alert customers. Furthermore, the company told the Maine Attorney General's Office that they first learned of the breach on March 26, 2024, yet BleepingComputer first contacted AT&T about it on March 17th and the information was for sale first in 2021. While it is likely too late, as the data has been privately circulating for years, AT&T is offering one year of identity theft protection and credit monitoring services through Experian, with instructions enclosed in the notices. The enrollment deadline was set to August 30, 2024, but exposed people should move much faster to protect themselves. Recipients are urged to stay vigilant, monitor their accounts and credit reports for suspicious activity, and treat unsolicited communications with elevated caution. For the admitted security lapse and the massive delay in verifying the data breach claims and informing affected customers accordingly, AT&T is facing multiple class-action lawsuits in the U.S. Considering that the data was stolen in 2021, cybercriminals have had ample opportunity to exploit the dataset and launch targeted attacks against exposed AT&T customers. However, the dataset has now been leaked to the broader cybercrime community, exponentially increasing the risk for former and current AT&T customers. Update 4/10/24: Added statement from AT&T about discrepancy in numbers. BILL TOULAS Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Home Depot Data Compromised Through Third-Party SaaS Misconfiguration

26 Apr, 2024
Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party SaaS vendor inadvertently exposing a subset of employee data. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. A Home Depot software vendor suffered a data breach leading to the compromise of an undisclosed number of employees. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party software vendor inadvertently exposing a subset of employee data. Reportedly, the breach was caused by a misconfigured software-as-a-service (SaaS) application.
More Posts
Share by: