How Scammer Used Malicious Bookmark to Gain Access to Discords of NFT projects
The blockchain ecosystem is still very much like the wild west; anything is possible in this world. If we want to establish a safe and secure environment for everyone, we must always remain one step ahead of malicious parties.
In our recent publication, The Blockchain Dark Forest Self-help Manual, it mentioned methods of phishing incidents on Discord of NFT projects.
In this article, we will explain how these incidents were made possible so you can stay vigilant at all times. One method used was to obtain the discord token of NFTs projects through malicious bookmarks and use it to post phishing links.
Let us begin by examining an incident that occurred on March 14, 2022. According to a tweet by @Serpent, the Wizard Pass NFT project’s Discord server was infiltrated by scammers, and NFTs such as BAYC, Doodles, and Clone X were stolen.
Here’s an explanation by @Sentinewtf:
In the example above, the victim opens discord.com from the official website. Next to it, I clicked on the malicious bookmark “Hello, World!” that I had previously saved. A pop-up statement is executed, and the source of execution shows discord.com.
There is a concept of domain here. Browsers have protection policies such as the same-origin policy. There is a concept of domain here. Browsers have protection policies such as the same-origin policy. Operations that don’t belong to discord.com should not respond to pages on discord.com, but bookmarks don’t follow this rule.
It is foreseeable that such a small function of bookmarks has hidden security issues. The bookmark URL is obvious when normally adding bookmarks.
A slightly security-conscious reader can tell that there is an obvious problem with the URL information.
What if it’s a well-constructed page that forces you to drag and drop your favorites to the bookmark bar on the page? You can see from the demo video that the twitter link asks the user to perform this task: “Drag this to your bookmarked”.
Now you have to drag a link in order to add it to the bookmarks bar. As long as the phishing script is written well enough, users with little technical knowledge can be easily tricked.
To implement drag-and-drop into the bookmark bar, you only need to construct an a tag. The following is a sample code：
When clicked, bookmarks can be executed like code in the developer tools console, and they will bypass the CSP (Content Security Policy) policy.
Let’s first compare two browsers, Google and Firefox.
Using Google Chrome, dragging and dropping to add a normal URL link does not have any editing alerts.
Using Google Chrome, dragging and dropping to add malicious links also does not show any editing alerts.
Using Firefox browser, if you add a normal link, there’s no alerts.
However, when using Firefox browser to add a malicious link, a window will appear to remind the editor to confirm the save.
It can be seen that Firefox provides betterprovides a better security when it comes to bookmarks.
We used the Chrome browser in this demonstration. Let’s assume the user logs in to Discord on the web and saves a malicious bookmark that’s actually a phishing page. The next time they click on that bookmark, it’ll trigger the malicious code. The victim’s token, along with other personal information, will be sent to the attacker’s channel through the Discord webhook.
Here are screenshots of what the process looks like when the victim clicks on the malicious bookmark:
Here’s some answers to questions you may have :
1. Why does it only take one click to become a victim?
2. Why did the attackers choose Discord webhook to receive information?
Because the format of the Discord webhook is “https://discord.com/api/webhooks/xxxxxx". It’s the main domain name of Discord, allowing it to bypass the same-origin policy and other issues. You can also create a new Discord webhook to try it out yourself.
3. What can you do with a Discord Token?
Getting a Token is equivalent to getting access to a Discord account.
You have complete access to the account, such as setting up Discord webhook bots, posting announcements, and other malicious activities such as posting phishing links.
If you were a victim or believe you are the target of these operations, we advise you to take the following steps straight away:
1. Immediately reset your Discord account password.
2. After resetting password, refresh Discord Token, so old Token is no longer valid.
3. Delete and replace original webhook link since it’s compromised.
4. Increase security awareness; check and delete all malicious bookmarks added.
As a user, it’s important to note that any added actions and code can be malicious. There are plenty of extensions that look friendly and convenient, but you should always be skeptical and stay vigilant.
The SlowMist security team will continue to expose exploits in the blockchain industry to build a better future for everyone.