OpenSea $1,700,000 Phishing Hack Analysis

Technical Breakdown

The transaction I am going to break down can be found on Etherscan. In order to get a better look at what’s happening behind the scenes, I’ll also use ethtx.info.

Future Prevention

Phishing attacks will be around forever as long as there are people who fall for it. In order to stop these attacks, people need to know more about how these attacks work, how to spot them, and how to report them.

Protecting Users Against Phishing

A wide range of technical approaches are available to prevent phishing attacks reaching users or to prevent them from successfully capturing sensitive information.

Filtering out phishing mail

Specialized spam filters can reduce the number of phishing emails that reach their addressees’ inboxes. These filters use a number of techniques including machine learning and natural language processing approaches to classify phishing emails, and reject email with forged addresses. Popular mail service from Google and Microsoft have these features are built-in and just need to be enabled. The best practice is to automatically turn on and apply future recommended settings. This ensures maximum protection for email and attachments for your email box.

  • Links and external images-Identify links behind short URLs, scan linked images for malicious content, and display a warning when you click links to untrusted domains.
  • Spoofing and authentication-Protection against spoofing a domain name, employee names, email pretending to be from your domain, and unauthenticated email from any domain. Unauthenticated emails display a question mark next to the sender’s name. Spoofing protection can be turned on for private groups, or for all groups.

Browsers alerting users to fraudulent websites

Another popular approach to fighting phishing is to maintain a list of known phishing sites and to check websites against the list. One such service is the Safe Browsing service. Web browsers such as Google Chrome, Mozilla Firefox and Safari all contain this type of anti-phishing measure.

Augmenting password logins

The Bank of America website is one of several that asks users to select a personal image and displays this user-selected image with any forms that request a password. Users of the bank’s online services are instructed to enter a password only when they see the image they selected. However, several studies suggest that few users refrain from entering their passwords when images are absent. In addition, this feature (like other forms of two-factor authentication) is susceptible to other attacks.

Transaction verification and signing and Two Factor Authentication

Solutions have also emerged using the mobile phone (smartphone) as a second channel for verification and authorization of banking transactions. Apps like Authy provide a unified facade for all Two Factor Authentication supporting sites.

Limitations of technical responses

An article in Forbes in August 2014 argues that the reason phishing problems persist even after a decade of anti-phishing technologies being sold is that phishing is “a technological medium to exploit human weaknesses” and that technology cannot fully compensate for human weaknesses. As security researcher Dan Guido tweeted shortly after the OpenSea attack:

Spotting Phishing Scams

In order to spot phishing scams and keep yourself safe, heres a few tips you should follow when reading emails:

  • If an address contains typos, or a domain that’s not associated with the real entity, it’s fake. For example: security@opensea.ml , security@opensea.co, noreply@metamask.com aren’t associated with the real domain, opensea.io or metamask.io.
  • Check if the email was sent securely. Nowadays, this is less important since most spoofed emails are automatically sent to spam. However, it’s always good practice to check to see if an email was sent securely, because anyone with an IMAP server can spoof an email address. In order to check if an email was spoofed, just make sure it has a valid certificate attached. Don’t click links without checking them first.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store