Categories
Security

Hackers hijacked the OpenSea Discord with a fake YouTube NFT scam

Around 4:30AM ET on Friday, the official Discord channel for OpenSea, the world’s largest NFT marketplace, joined the growing list of NFT communities that have exposed participants to phishing attacks.

In this case, a bot made a fake announcement about OpenSea partnering with YouTube, enticing users to click on a “YouTube Genesis Mint Pass” link to snag one of 100 free NFTs with “insane utility” before they’d be gone forever, as well as a few follow-up messages. Blockchain security tracking company PeckShield tagged the URL the attackers linked, “youtubenft[.]art” as a phishing site, which is now unavailable.

While the messages and phishing site are already gone, one person who said they lost NFTs in the incident pointed to this address on the blockchain as belonging to the attacker, so we can see more information about what happened next. While that identity has been blocked on OpenSea’s site, viewing it via Etherscan.io or a competing NFT marketplace, Rarible, shows 13 NFTs were transferred to it from five sources around the time of the attack. They’re now also reported on OpenSea for “suspicious activity” and, based on their prices when last sold, appear to be worth a little over $18,000.

The phishing message, as seen on Discord.
Image: Richard Lawler / Discord

A screenshot of the thief’s haul as seen on Rarible

A screenshot of the thief’s haul as seen on Rarible.
Image: Richard Lawler / Rarible.com

This kind of intermediary attack in which scammers exploit NFT traders who are looking to capitalize on “airdrops” has become common for prominent Web3 organizations. It’s common for announcements to appear out of the blue, and the nature of the blockchain may give some users reasons to click first and consider the consequences later.

Beyond the desire to snag rare items, there’s the knowledge that waiting can make minting your NFT amid a rush much slower, more expensive, or even impossible (if you run out of funds during the process). If they’ve left any items or cryptocurrency in their hot wallet that’s connected to the internet, then coughing up login details to a phisher could give them away in seconds.

In a statement to The Verge, OpenSea spokesperson Allie Mack confirmed the incident, saying, “Last night, an attacker was able to post malicious links in several of our Discord channels. We noticed the malicious links soon after they were posted and took immediate steps to remedy the situation, including removing the malicious bots and accounts. We also alerted our community via our Twitter support channel to not click any links in our Discord. We have not seen any new malicious posts since 4:30am ET.”

“We continue to actively investigate this attack, and will keep our community apprised of any relevant new information. Our preliminary analysis indicates that the attack had limited impact. We are currently aware of fewer than 10 impacted wallets and stolen items amounting to less than 10 ETH,” says Mack.

OpenSea has not made a statement about how the channel was hacked, but as we explained in December, one entry point for this style of attack is the webhooks feature that organizations often use to control the bots in their channels to make posts. If a hacker gains access or compromises the account of someone authorized, then they can use it to send a message and / or URL that appears to come from an official source.

Recent attacks have included one that stole $800k worth of the blockchain trinkets from the “Rare Bears” Discord, and the Bored Ape Yacht Club announced its channel had been compromised on April 1st. On April 25th, the BAYC Instagram served as a conduit for a similar heist that snagged more than $1 million worth of NFTs just by sending out a phishing link.



Repost: Original Source and Author Link

Categories
Tech News

Perl.com domain for programming language hijacked, tied to malware actors

Those familiar with the geekier side of the tech industry will probably be familiar with the many programming languages behind the world’s most popular software. There’s Java that’s used for Android, C# from Microsoft, and C and C++ that underlies many high-performance applications from server to games to those that control rockets and satellites. When it comes to the Web and the invisible layers of the Internet, however, the venerable Perl has been one of the languages of choice and it has now experienced a rather major setback that could put many of its users at risk from hackers.

Despite its history and lineage, Perl has become less popular in recent years, falling behind younger programming languages like Python and Rust. It can’t be denied, however, that many systems still rely on Perl and its developers swear by the convenience of CPAN, the Comprehensive Perl Archive Network, that has become the blueprint for other languages to follow. Unfortunately, that latter could now become a liability after one of Perl’s domains got hijacked.

Over the weekend, the Perl infrastructure blog, Perl NOC, reported that the perl.com was hijacked and no longer points to where it should. Instead of being a site for Perl-related news and articles, it now points to a parking site but that’s only on the surface. The more worrying discovery is that there are clues it is pointing to IP addresses that have been used to distribute malware in the past.

To be clear, the Perl programming language’s official website, perl.org, remains secure and intact. Perl.com, unfortunately, is also used as a mirror or backup for distributing modules via CPAN. In other words, there is a risk that hijackers could take advantage of this connection to compromise systems using Perl and CPAN.

Work is already being done to reclaim the domain though there is no estimated time yet when everything will be returned to normal. In the meantime, it is strongly advised not to visit perl.com and to remove it from CPAN settings.

Repost: Original Source and Author Link