Cybercriminals Use Look-Alike Domain to Impersonate NFT Marketplace OpenSea and Steal Sensitive Information
In this phishing attack, cybercriminals use a lookalike domain "claimtoken-opensea[.]com" to impersonate OpenSea, a popular NFT marketplace, and deceive recipients into believing they have been selected for an exclusive offer. The email, which uses the subject line "Exclusive $1582 Offer Just for You - OpenSea Chooses You!," informs the recipient that they can claim a significant amount of money by connecting their cryptocurrency wallet to the platform and using a provided token. The email includes a link that purportedly will direct the recipient to the OpenSea platform but actually leads to a phishing site designed to steal sensitive information or gain unauthorized access to the recipient's wallet. The email and the phishing site make extensive use of impersonated OpenSea branding to increase the appearance of legitimacy in the hopes the target will be deceived into providing their login credentials and connecting their cryptocurrency wallet.
Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a lookalike email address, employs sophisticated social engineering tactics, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect suspicious links in the message, and recognize the use of a malicious lookalike domain to correctly flag this email as an attack.
Malicious email impersonating NFT marketplace OpenSea
Phishing site featuring mimicked OpenSea branding promoting fake offer on NFT to deceive targets
Fraudulent prompt to connect target’s cryptocurrency wallet, which would grant attacker access to all stored funds
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Look-alike Domain: The email is sent from a look-alike domain that resembles the legitimate OpenSea domain, making it difficult for basic domain filters to detect the deception.
- Social Engineering Tactics: The promise of a significant financial reward creates a sense of urgency and prompts immediate action, making recipients less likely to scrutinize the email closely.
- Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of a link leading to a suspicious domain, triggering deeper analysis for possible malicious intent.
- Look-Alike Domain Detection: The detection of a look-alike domain used in communication is flagged by Abnormal’s systems as a common phishing tactic, prompting deeper analysis.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.