In this phishing attack, cybercriminals use a spoofed email address to impersonate OpenSea, a popular NFT marketplace, and deceive recipients with a fraudulent item sale notification. The email, titled "Congratulations, your item sold!," claims that the recipient has successfully sold an item for 0.7 WETH, which is approximately $1,200 USD. To entice the recipient to check their recent activity, the email provides a link "https://login-opensea.servebbs[.]net," which allegedly leads to the details of the sale. However, clicking the link actually directs the recipient to a phishing site designed to steal sensitive information, such as login credentials and financial details. To appear legitimate, the email incorporates professional language, OpenSea branding, and recognizable social media icons—creating an atmosphere of authenticity and urgency. By leveraging the context of a successful transaction and trusted OpenSea branding, the attacker manipulates the recipient into engaging with the phishing site, potentially compromising their security.

Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address, employs sophisticated social engineering tactics, and lacks obviously malicious attachments. Modern, AI-powered email security solutions analyze suspicious links, flag that the sender is unknown, and recognize the sender name does not match the domain to correctly identify the email as an attack.

Status Bar Dots
SCR 20240924 jlwy

Malicious email claims that an NFT has sold in a cryptocurrency transaction on the digital marketplace, OpenSea

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate email address, bypassing basic email verification checks and adding perceived authenticity.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
  • Social Engineering Tactics: The email claims that an item has been sold and requires immediate viewing, creating a sense of urgency and prompting immediate action.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Suspicious Link Analysis: The presence of a link that leads to a suspicious domain is scrutinized by Abnormal’s systems, triggering deeper analysis for possible malicious intent.
  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.

Wrap Up Sentence: By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Look-alike Domain
Spoofed Display Name
Masked Phishing Link

Theme

Cryptocurrency
Fake Payment

Impersonated Party

Brand

Impersonated Brands

OpenSea

See How Abnormal Stops Emerging Attacks

See a Demo