Today we’ll cover a phishing scam that allows scammers to buy your NFTs for free. Here are two sites in connection to this scam:
Analysis of Phishing Site 1
After visiting the website, the MetaMask wallet appears and requests permission. There was no response when I attempted to visit other portions of the website. Aside from the MetaMask pop-up, the entire website seems to be an image display.
Maker: User address
Taker: 0xde6135b63de c c47d5a5d47834a7dd241fe61945a
Exchange: 0x7f268357A8c2552623316e2562D90e642bB538E5, this appears to be an OpenSea V2 contract address.
The malicious contract was a sales order intended to deceive the victims into selling their NFT. Once a victim signs the order, the scammer can purchase the victim’s NFT via OpenSea. Since the scammer sets the price, they can essentially buy it for free.
Because the attacker stores the signature itself, authorization cannot be revoked using websites such as Revoke.Cash or Etherscan. However, you can cancel the previous pending order to avoid the theft of your NFTs.
We learned through the source code that this phishing site uses the HTTrack tool to replicate the real site c-01nf.io. After looking deeper into the phishing site, we discover the following information:
We discovered another phishing site https://polarbears.in.in the JS file.
This site was also duplicated from the actual site https://polarbearsnft.com/ using HTTrack and is also another static display page.
We followed the link in the image above to another phishing site created with HTTrack, https://thedoodles.site. This confirmed our theory that these were not just one-time scams.
We continued our research to another phishing site https://themta.site, but it appears to be down at the time of writing.
In total, we found 18 different results related to the phishing site thedoodles.site. Our second phishing website(https://acade.link/) was also on this list. It seems like the scammers just copied and repeated the same scam over and over again.
Analysis of Phishing Site 2
Like the first, a MetaMask wallet will pop up asking you to sign, but nothing else works on the site.
Metamask content is the same as phishing Site 1
Maker: User address
Exchange: OpenSea V2 Contract
Taker: Scammer contract address
Looking at the scammer’s contract address (0xde6…45a ), you can see that this contract address is marked as a high-risk phishing address by MistTrack.
Next, we used MistTrack to analyze the contract’s creator address (0x542…b56):
The initial funding for this phishing address came from another address marked as phishing (0x071…48E ). Going back further, we can see that the funds came from three other phishing addresses.
This article mainly focuses on how scammers trick users into signing approvals and buying their NFTs without ever having to pay anything. We aim to help raise awareness about these scams and prevent additional victims from falling for them. We strongly recommend everyone to always verify the URL of the website they visit and only use official sources. Do not click on unknown links and never approve signature requests to unknown sites. Conduct routine security practices such as revoking authorizations promptly and to never store all your funds in a single wallet.