Malicious smart contracts, sleepminting and seed phrases are unfamiliar terms for most people new to the world of non-fungible tokens and cryptocurrencies. This lack of knowledge makes anyone dealing in these things vulnerable to scams. Bad actors are wasting no time in taking advantage of this ignorance via social engineering attacks.
Jaeson Schultz, technical leader for Cisco’s Talos Security Intelligence and Research Group, wrote a new research paper that highlights the many ways to get swindled when buying or minting NFTs. He describes what happens when you mix new technology and social engineering:
“Unfamiliar technology can often lead users into making bad decisions. Web 3.0 is no exception. The vast majority of security incidents affecting Web 3.0 users stem from social engineering attacks.”
The research paper, “Securing Web 3.0, the Metaverse & Beyond,” explains both the bad decisions as well as the social engineering schemes that often have significant financial impact. One of the most vulnerable points in this community is the cryptowallet. Anyone dealing in NFTs and cryptocurrency needs one. Some transactions require owners to allow third parties to interact with the wallet. This leaves many NFT owners vulnerable to bad actors who design malware and social engineering schemes to get control of a wallet and steal the contents.
Schultz explains why managing and securing these wallets is so crucial:
“Increasingly, cryptocurrency wallets are being used for identification and personalization of metaverse content so if you lose your seed phrase you lose control over your identity and all your personal digital belongings.”
His research paper provides a crash course in all the ways this can happen as well as a helpful vocabulary lesson. Here’s a look at the risks in the system and how to avoid scams.
Why seed phrases are important
When a user opens up a wallet, he or she gets a seed phrase that goes with it. This phrase of random words is literally the only key to the kingdom. There is no reset process if the user forgets the phrase or shares it with a bad actor. Many NFT companies use Discord as the main way of communicating with buyers. This makes it easy for scammers to pose as a customer service agent and offer to help as long as the person provides the seed phrase for his or her wallet.
Sleepminting is malware for smart contracts
Another scam uses the old tactic of malware in the new delivery vehicle of smart contracts. Malicious smart contracts have all the components of normal contracts but they behave in unexpected ways, namely to benefit the bad actor instead of the buyer. Schultz describes the sleepminting tactic that designs a smart contract to complete a two-step scam:
- Mint NFTs to other people’s wallets
- Transfer the minted NFTs from those other wallets so the NFT can be sold to an unsuspecting buyer.
This is how the manipulation works:
“While the attacker cannot control the crypto address used to transmit the transaction to the Ethereum network, they *do* control the contents of the data about the NFT minted via their own malicious smart contract. In this example, in the Tokens Transferred section, the attacker has set the Tokens Transferred From and To addresses themselves.”
The smart contract that is supposed to make the transaction transparent and trackable actually allows the bad actor to forge the provenance of an NFT on the Ethereum blockchain.
It’s DNS without ICANN
As NFTs and cryptocurrency become more mainstream, you’d expect some guard rails to pop up to protect against bad actors. The Ethereum Name Service is a start toward that kind of protection but it has its flaws too.
Ethereum wallet addresses are strings of 42 characters that look like serial numbers and are equally difficult to remember. Ethereum Name Service makes these addresses easier to remember and identify–just like DNS–but the service doesn’t have the same built-in protections. For example, ICANN–a centralized non-profit–has an established procedure for resolving domain name disputes. ENS doesn’t provide that service. Also, once an individual or organization claims an address and placed it on the blockchain, it can’t be revoked, regardless of whether the person claiming the address actually represents the company. As Schultz writes:
“It may come as no surprise that ENS domains such as cisco.eth, wellsfargo.eth, foxnews.eth and so on are not actually owned by the respective companies who possess these trademarks, but rather they are owned by third parties who registered these names early on with unknown intentions. … Nothing prevents the owner of the ENS domain wellsfargo.eth from using that name to trick unsuspecting users into believing that they are dealing with the real bank.”
Also, the ease-of-use benefits of ENS also has a downside:
“The use of ENS domain names also has the effect of advertising the cryptocurrency balance the owner carries in their wallet, their NFT holdings, etc. A cybercriminal hoping to maximize their returns would naturally choose to target those users with the largest balances.”
There’s already a public list of the most followed Twitter accounts with .eth names.
Best practices for NFT buyers
Schultz recommends following these best practices to avoid getting ripped off when dealing in crypto wallets, NFTs and virtual worlds:
- Use good security fundamentals: solid passwords, multi-factor authentication, a password manager, network segmentation, and network activity logs.
- Examine Internet, ENS domain and crypto wallet addresses for cleverly hidden typos and never click on links that are presented to you unsolicited via social media or email.
- Never give your seed phrase to anyone.
- Use a hardware wallet to add another layer of security to your cryptocurrency/NFT holdings.
- Research your purchases and look for the source code of a smart contract before buying anything.
- Make sure you are buying from the correct project on the correct blockchain.
- Consider using a freshly generated wallet address holding just enough funds to cover the cost of a new purchase, if you have to connect a cryptocurrency wallet to purchase or mint an NFT.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays