Catches of the Month: Phishing Scams for January 2022

Welcome to the first review of phishing attacks for 2022, in which we explore the latest scams and the tactics that cyber criminals use to trick people into handing over their personal information.

This month, we look at a crypto trader who inadvertently gave a fraudster his JPEG collection, which is apparently worth £1.5 million. We also share a lawsuit involving Facebook – but this time the tech giant is the claimant – and review a phishing attack targeting CoinSpot customers.

NFT trader scammed out of £1.5 million

The concept of NFTs (non-fungible tokens) is so absurd that many people believe the whole thing is simply a scam. People spend money – often tens of thousands of pounds – to own a digital file, such as a photo or video.

But crucially, that doesn’t restrict the public sharing of said file, and in many cases the original creator retains copyright ownership, allowing them to continue to produce and sell copies of their work.

Whether you think the exercise is a waste of money (or perhaps even an ecological issue) or harmless fun, one thing is for sure: NFTs demonstrate the vulnerability of owning digital assets.

This is something an NFT trader learned last month after being scammed out of 16 NFTs that were sold for $2.2 million (about £1.5 million).

Todd Kramer, a New York-based art curator, said he was targeted by a cyber criminal who sent him an email disguised as a contract.

The message appeared to come from a genuine source, but after Kramer provided his credentials, he learned that he’d given an authorised person access to his wallet and digital assets.

Kramer’s collection included images from the highly coveted ‘Bored Ape Yacht Club’. The cartoon ape images are the single most valuable franchise of crypto collectibles.

“I been hacked,” Kramer wrote on Twitter. “All my apes gone. This just sold please help me.”

The tweet went viral almost immediately, and although many users were mocking (as you’d expect from Twitter), the volume of traffic caught the attention of the Bored Ape community, which helped Kramer retrieve some of his files.

However, it wasn’t just those opposed to NFTs who lacked sympathy. Even fellow traders questioned Kramer’s decision to not store his collection offline.

As it was, Kramer essentially had JPEGs on his hard drive worth $2.2 million, and if those files were compromised – whether through criminal hacking or physical damage – it would threaten his ownership.

This is what differentiates crypto trading and NFTs from banks or other facilities where you hold assets. Whereas those facilities are required to take steps to protect your assets – and will typically have proof of unauthorised access – the crypto culture emphasises personal responsibility.

There is little recourse when a crypto wallet is compromised – and in this case, Kramer was fortunate to get some of his assets back.

Facebook, Instagram and WhatsApp users being duped by phishing campaign

Meta, the company formerly known as Facebook, is suing the criminal hackers who have been targeting its users.

The tech giant has filed a federal lawsuit in California that attempts to reveal records that will uncover the identities of the attackers.

The fraudsters have created more than 39,000 websites imitating Facebook, WhatsApp and Instagram. Those sites lure people into entering their usernames and passwords, thinking they are logging in to the legitimate sites.

In a statement, Meta’s director of platform enforcement and litigation, Jessica Romero, said that the lawsuit is “one more step in our ongoing efforts to protect people’s safety and privacy, send a clear message to those trying to abuse our platform, and increase accountability of those who abuse technology”.

She added: “We will also continue to collaborate with online hosting and service providers to identify and disrupt phishing attacks as they occur. We proactively block and report instances of abuse to the hosting and security community, domain name registrars, privacy/proxy services, and others. And Meta blocks and shares phishing URLs so other platforms can also block them.”

Crypto exchange CoinSpot targeted by scammers

Users of the cryptocurrency platform CoinSpot are being warned about a phishing campaign that’s designed to steal passwords.

The bogus emails claim that the recipient has withdrawn funds from their account, and asks them to either confirm or cancel the transaction.

No matter which button the recipient clicks, they are taken to a landing page that clones the CoinSpot login page and uses the URL ‘coinspotswap.com’ – adding the word ‘swap’ to the genuine domain

Users who enter their credentials are then prompted to enter a one-time password as part of the two-factor authentication process. Doing so gives criminals everything they need to access the victim’s legitimate account, and indicates that the scammers are actively monitoring traffic.

Because one-time passwords are typically only valid for a minute or less, attackers must act quickly to enter the necessary credentials.

A similar level of dedication is evident in the attackers’ use of a digital certificate on their website. This gives the site an HTTPS domain, which many people mistakenly believe means that the website is genuine.

However, it simply means that the site provides end-to-end encryption, which makes it harder for a cyber criminal to intercept traffic.

HTTPS is often associated with genuine sites because scammers usually don’t go to the extra effort of purchasing a digital certificate. The fact that this scam does indicates that the attackers are willing to invest in what they believe to be a lucrative scam.

Can you spot a scam?

Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.

This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.

2 Comments

  1. Graham Willis 14th January 2022
    • Luke Irwin 20th January 2022

Leave a Reply

Your email address will not be published. Required fields are marked *