Phishing scams have become a prevalent issue in the world of cybersecurity, leaving users cautious about clicking on suspicious links or opening unfamiliar emails. Recently, there has been a significant increase in phishing attacks targeting web3 companies and their users. On January 23, users of Wallet Connect and other web3 companies received alarming news about a sophisticated phishing scam. The attackers utilized official email addresses from well-known web3 companies to trick users and steal funds from their crypto wallets. This article examines the concerning rise of phishing scams and the implications for web3 companies and users.
Wallet Connect, a prominent player in the web3 space, was quick to notify its community about an unauthorized email sent from a Wallet Connect-linked email address. The email falsely lured recipients with the promise of an airdrop and included a link for them to claim it. However, this seemingly innocent link directed users to a malicious website. Wallet Connect took immediate action, stressing that the email was not issued by their team or anyone affiliated with them. Recognizing the severity of the situation, they engaged the services of Blockaid, a web3 security and privacy firm, to further investigate the phishing scam.
Shortly after Wallet Connect’s discovery, crypto sleuths disseminated a community alert revealing that other prominent web3 companies, such as CoinTelegraph, Token Terminal, and De.Fi, had also fallen victim to the phishing attack. This revelation signaled that a massive and more sophisticated phishing campaign was underway. By the time the alert was issued, the attackers had already stolen approximately $580,000.
Blockaid’s investigation shed light on the methods employed by the attackers. They uncovered a vulnerability in MailerLite, a popular email service provider, that the attackers exploited to impersonate web3 companies. This allowed them to send convincing emails with malicious links directly from the compromised email addresses of these companies. The compromised links led users to various malicious decentralized applications (dApps) designed to drain their wallets. Notably, these malicious dApps utilized the infrastructure of the Angel Drainer Group.
Blockaid clarified that the attackers capitalized on previously shared data with MailerLite. These web3 companies had granted MailerLite access to their domains in the past, enabling the email service provider to send emails on their behalf. The attackers used “dangling DNS” records associated with MailerLite, which remained active even after the companies closed their accounts. This oversight enabled the attackers to claim and impersonate these domains, further intensifying the impact of the phishing attack.
The story of the phishing attack took an important turn when MailerLite provided an explanation via email. According to MailerLite, the initial compromise occurred when a member of their customer support team inadvertently clicked on an image linked to a fraudulent Google sign-in page. This innocent action resulted in the team member entering their credentials on the fraudulent page, thereby granting the perpetrators access to their account.
To make matters worse, the team member unwittingly authenticated the intrusion by confirming it through a mobile phone verification process, unaware that it was not a legitimate access attempt. This breach allowed the attackers to penetrate MailerLite’s internal admin panel. Exploiting their unauthorized access, the attackers reset the password of a specific user, gaining control over 117 accounts. However, their focus was predominantly on cryptocurrency-related accounts for the phishing campaign.
An anonymous Reddit user provided a comprehensive analysis of the attacker’s transactions, offering insights into the extent of the damage. The user highlighted that one victim lost approximately 2.64 million XB Tokens, with a significant portion of the stolen funds identified in the first phishing address. Additionally, around $520,000 worth of ETH were sent to the privacy protocol Railgun. The Reddit user anticipated that these funds would soon be moved through another mixer or exchange, highlighting the need for ongoing vigilance and preventive measures.
The rise of phishing scams targeting web3 companies has become a worrisome trend for both companies and users. This recent incident serves as a wake-up call, highlighting the vulnerabilities that can be exploited by skilled attackers. It reinforces the importance of robust security measures and user education to combat phishing attacks effectively. As web3 continues to evolve and gain popularity, proactive efforts must be made to stay one step ahead of cybercriminals and safeguard both companies and users in the decentralized ecosystem.
Leave a Reply