How Scammer Used Malicious Bookmark to Gain Access to Discords of NFT projects

SlowMist
6 min readApr 21, 2022

--

Background Information

The blockchain ecosystem is still very much like the wild west; anything is possible in this world. If we want to establish a safe and secure environment for everyone, we must always remain one step ahead of malicious parties.

In our recent publication, The Blockchain Dark Forest Self-help Manual, it mentioned methods of phishing incidents on Discord of NFT projects.

In this article, we will explain how these incidents were made possible so you can stay vigilant at all times. One method used was to obtain the discord token of NFTs projects through malicious bookmarks and use it to post phishing links.

Phishing Incidents

Let us begin by examining an incident that occurred on March 14, 2022. According to a tweet by @Serpent, the Wizard Pass NFT project’s Discord server was infiltrated by scammers, and NFTs such as BAYC, Doodles, and Clone X were stolen.

Details below:

https://twitter.com/SerpentAU/status/1503232270219431941

Here’s an explanation by @Sentinewtf:

https://twitter.com/sentinelwtf/status/1496293768542429187

The bookmark mentioned here is a browser bookmark. The contents of this bookmark contain a piece of malicious JavaScript code. When a user clicks on the malicious JavaScript code, it executes the Discord domain where the user is located and steals the token. Once the attacker gains access to the NFT projects’ discord token, they can directly take over relevant permissions of the account.

Background knowledge

This incident requires the readers to have some technical background. Current browsers have their own bookmark managers, which provide convenience but can be easily exploited. By carefully constructing a malicious phishing page, the attacker can trick you into inserting a piece of JavaScript code into your favorite bookmark. Once you click on the bookmark, it will be executed in the domain of the current browser tab.

In the example above, the victim opens discord.com from the official website. Next to it, I clicked on the malicious bookmark “Hello, World!” that I had previously saved. A pop-up statement is executed, and the source of execution shows discord.com.

There is a concept of domain here. Browsers have protection policies such as the same-origin policy. There is a concept of domain here. Browsers have protection policies such as the same-origin policy. Operations that don’t belong to discord.com should not respond to pages on discord.com, but bookmarks don’t follow this rule.

It is foreseeable that such a small function of bookmarks has hidden security issues. The bookmark URL is obvious when normally adding bookmarks.

A slightly security-conscious reader can tell that there is an obvious problem with the URL information.

What if it’s a well-constructed page that forces you to drag and drop your favorites to the bookmark bar on the page? You can see from the demo video that the twitter link asks the user to perform this task: “Drag this to your bookmarked”.

Now you have to drag a link in order to add it to the bookmarks bar. As long as the phishing script is written well enough, users with little technical knowledge can be easily tricked.

To implement drag-and-drop into the bookmark bar, you only need to construct an a tag. The following is a sample code:

<a href=”javascript: (() => { alert(‘Hello, World!’); })();”>

Hello, World!

</a>

When clicked, bookmarks can be executed like code in the developer tools console, and they will bypass the CSP (Content Security Policy) policy.

You may be wondering why, when a link like “javascript:()” is added to the browser bookmark bar, no alerts are made.

Let’s first compare two browsers, Google and Firefox.

Using Google Chrome, dragging and dropping to add a normal URL link does not have any editing alerts.

Using Google Chrome, dragging and dropping to add malicious links also does not show any editing alerts.

Using Firefox browser, if you add a normal link, there’s no alerts.

However, when using Firefox browser to add a malicious link, a window will appear to remind the editor to confirm the save.

It can be seen that Firefox provides betterprovides a better security when it comes to bookmarks.

Demo

We used the Chrome browser in this demonstration. Let’s assume the user logs in to Discord on the web and saves a malicious bookmark that’s actually a phishing page. The next time they click on that bookmark, it’ll trigger the malicious code. The victim’s token, along with other personal information, will be sent to the attacker’s channel through the Discord webhook.

Here are screenshots of what the process looks like when the victim clicks on the malicious bookmark:

The following is a screenshot of the JavaScript code written by the attacker. It’s used to obtain personal information such as token and receive them through the webhook of the Discord Server.

Here’s some answers to questions you may have :

1. Why does it only take one click to become a victim?

We know that bookmarks can be inserted into a JavaScript script. Knowing this, almost anything is possible. This includes information acquisition through the front-end package of webpackChunkdiscord_app encapsulated by Discord. However, in order to avoid any copycat attacks, we will not be giving out any information about the codes used in this attack.

2. Why did the attackers choose Discord webhook to receive information?

Because the format of the Discord webhook is “https://discord.com/api/webhooks/xxxxxx". It’s the main domain name of Discord, allowing it to bypass the same-origin policy and other issues. You can also create a new Discord webhook to try it out yourself.

3. What can you do with a Discord Token?

Getting a Token is equivalent to getting access to a Discord account.

You have complete access to the account, such as setting up Discord webhook bots, posting announcements, and other malicious activities such as posting phishing links.

Summary

If you were a victim or believe you are the target of these operations, we advise you to take the following steps straight away:

1. Immediately reset your Discord account password.

2. After resetting password, refresh Discord Token, so old Token is no longer valid.

3. Delete and replace original webhook link since it’s compromised.

4. Increase security awareness; check and delete all malicious bookmarks added.

As a user, it’s important to note that any added actions and code can be malicious. There are plenty of extensions that look friendly and convenient, but you should always be skeptical and stay vigilant.

The SlowMist security team will continue to expose exploits in the blockchain industry to build a better future for everyone.

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.