This credential phishing attack features an impersonation of OpenSea, a popular cryptocurrency and NFT platform. The attacker first compromises an account on the domain “gestionagroganadera[.]com,” an older domain that legacy security tools will likely trust due to its age. The email states that an offer has been made on one of the target’s NFTs and directs the target to click on a link to see their active listings on OpenSea. To appear more legitimate, the attacker creates a fake OpenSea landing page that, at first glance, resembles an authentic website. On the phishing page is the “Connect Wallet” button. If the target clicks that button, a pop-up with a QR code appears, ostensibly offering the target the ability to connect their existing MetaMask, Trust Wallet, or other cryptocurrency wallets. Since the entire landing page and all associated links are malicious, sensitive information, including login credentials, cryptocurrency keys, and funds, are at risk if the target interacts. 

Older, legacy email security tools struggle to flag this email as an attack because it was sent from a 20-year-old domain, does not include malicious, executable attachments, and uses social engineering techniques. Modern, AI-powered email security solutions identify the unknown sender, detect the social engineering techniques, and analyze the link in the email to identify this email as an attack accurately.

Status Bar Dots
Dec15 Screenshot 1
Status Bar Dots
Dec15 Screenshot 2

The link in the email leads to a fake OpenSea landing page.

Status Bar Dots
Dec15 Screenshot 3

If the target clicks “Connect Wallet” on the landing page, their funds or other sensitive information is at risk of being stolen.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Sender Reputation: The email comes from the domain "gestionagroganadera[.]com," registered for 20 years. Legacy systems often trust older domains, which attackers can exploit.
  • Lack of Malicious Attachments: The email does not contain any attachments. Legacy systems often scan attachments for known malicious files, but this email would bypass such checks.
  • Social Engineering: The email uses social engineering tactics, pretending to be from the "OpenSea Team" and mentioning a new offer on a listing. Legacy systems often struggle to detect these types of human-focused attacks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender: The email is from an unknown sender that the company has never received emails from in the past. Abnormal tracks sender behavior over time and flags unfamiliar senders as potentially suspicious.
  • Social Engineering Detection: Abnormal detects social engineering tactics. The email pretends to be from the "OpenSea Team" and mentions a new offer on a listing, which could be an attempt to trick the recipient into clicking the link.
  • Link Analysis: The email contains a link. Abnormal analyzes the link for potential threats, even if it's not a known malicious link.

 By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account

Theme

Cryptocurrency

Impersonated Party

Brand

Impersonated Brands

OpenSea

See How Abnormal Stops Emerging Attacks

See a Demo