blog.checkpoint.com Open in urlscan Pro
141.193.213.20  Public Scan

Form analysis
2 forms found in the DOM

<form id="search-form">
  <input type="image" src="https://www.checkpoint.com/wp-content/themes/checkpoint-theme-v2/images/search-btn.png" value="Submit" alt="Search"><input type="text" id="stq" name="stq" class="st-search-input" placeholder="Enter your keywords..."
    x-webkit-speech="" x-webkit-grammar="builtin:search" autocomplete="off">
</form>

<form id="search-form1">
  <input type="image" src="https://www.checkpoint.com/wp-content/themes/checkpoint-theme-v2/images/search-btn.png" value="Submit" alt="Search"><input type="text" id="stq1" name="stq1" class="st-search-input" placeholder="Enter your keywords..."
    x-webkit-speech="" x-webkit-grammar="builtin:search" autocomplete="off">
</form>

Text Content

Learn more on how to stay protected from the latest Ransomware Pandemic
Free Demo Contact Us Support Center Sign In Blog
 * Search
   * 
 * Geo Menu
   * * Choose your language...
     * English (English)
     * Spanish (Español)
     * French (Français)
     * German (Deutsch)
     * Italian (Italiano)
     * Portuguese (Português)
     * Russian (Русский)
     * Japanese (日本語)
     * Chinese (中文)

 * Products
   * Quantum
     * Quantum Maestro
     * Quantum Lightspeed
     * Quantum Security Gateway
     * Quantum Spark
     * Quantum Edge
     * Quantum IoT Protect
     * Quantum VPN
     * Quantum Smart-1
     * Quantum Smart-1 Cloud
   * CloudGuard
     * CloudGuard Network
     * CloudGuard Posture Management
     * CloudGuard Workload
     * CloudGuard AppSec
     * CloudGuard Intelligence
   * Harmony
     * Harmony Endpoint
     * Harmony Connect (SASE)
     * Harmony Browse
     * Harmony Email & Collaboration
     * Harmony Mobile
   * Infinity-Vision
     * Infinity Portal
     * Infinity SOC
     * Infinity Unified Management
     * ThreatCloud
     * Infinity MDR
     * View All Products
   * Products Overview
 * Solutions
   * Cloud Security
     * Serverless Security
     * Container Security
     * Application Security
     * Cloud Compliance & Governance
     * DevOps Security
     * Private Cloud Network Security
     * AWS Security
     * Azure Security
     * Google Cloud Security
   * Network Security
     * Hybrid Data Center
     * SD-WAN Security
     * Zero Trust Security
     * IoT Security
   * Users & Access Security
     * Secure Access Service Edge (SASE)
     * Endpoint Security
     * Mobile Security
     * Anti-Ransomware
     * Anti-Phishing
     
     Security Operations
     * Infinity MDR (Managed Detection & Response)
     * Zero-Day Protection
   * Industry
     * Retail
     * Financial Services
     * Government
     * Healthcare
     * Industrial Control Systems ICS & SCADA
     * Telco / Service Provider
     * Education
     
     Business Size
     * Large Enterprise
     * Small & Medium Business
     * Consumer & Small Business
     * Solutions Overview >
   * RESERVE YOUR SPOT at the most important cyber security event of 2022
     REGISTER NOW
 * Support & Services
   * Support
     * Create/View Service Request
     * Contact Support
     * Check Point Pro
     * Support Programs
     * Life Cycle Policy
     * License Agreement & Warranty
     * RMA Policy
   * Training
     * Mind
     * Training & Certification
     * Cyber Park
     * Learning Credits
     * Secure Academy
     * SmartAwareness
     * eLearning
   * Services
     * Professional Services
     * Account Management
     * Lifecycle Management Services
     * Security Consulting
     * ThreatCloud Managed Security Service
     * Incident Response Services
   * HackingPoint Training Learn hackers inside secrets to beat them at their
     own game. View Courses
 * Partners
   * Channel Partners
     * Become a Partner
     * Find a Partner
   * Technology Partners
     * Technology Partners
     * Featured Technology Partners
   * Partner Portal
     * PartnerMAP Sign In
   * Check Point Partner Ecosystem Frank Rauch,
     Head of Worldwide Channel Sales Watch Video
 * Resources
   * Resources
     * Content Resource Center
     * Product Demos
     * Product Trials
     * Customer Stories
     * Events
     * Webinars
     * Videos
     * Cyber Hub
   * Downloads & Documentation
     * Downloads & Documentation
     * Product Catalog
     * Renewal Pricing Tool
   * Cyber Security Insights
     * Check Point Blog
     * Check Point Research
     * Cyber Talk for Executives
     * CheckMates Community
   * RESERVE YOUR SPOT at the most important cyber security event of 2022
     REGISTER NOW

 * Search
   * 
 * Geo Menu
   * Choose your language...
   * English (English)
   * Spanish (Español)
   * French (Français)
   * German (Deutsch)
   * Italian (Italiano)
   * Portuguese (Português)
   * Russian (Русский)
   * Japanese (日本語)
   * Chinese (中文)

Toggle Navigation

   
 * Check Point Blog


NEW OPENSEA ATTACK LED TO THEFT OF MILLIONS OF DOLLARS IN NFTS

By Dikla Barda, Roman Zaikin & Oded Vanunu

A few days ago, OpenSea published an article about the contract migration they
are planning.



The idea behind the OpenSea migration is to address the existing inactive
listings of old NFT’s, and in order to do that, they are planning to upgrade to
a new contract. All users will be required to “migrate” their listings on
Ethereum to the new smart contract.

They also sent instructions, which can be found here:

https://support.opensea.io/hc/en-us/articles/4433163594643-Smart-Contract-Upgrade-How-to-Migrate-Your-Item-Listings

Following public information that was published in the social media and users
alerts we started the investigation and we believe that hackers took advantage
of the upgrade process and decided to scam NFT users by using the same email
format  from OpenSea and resending it to the OpenSea victims:



Pressing on the link would navigate the users to a phishing website which would
ask the users to sign a transaction that looks like the transaction from the
OpenSea blog:

https://twitter.com/isotile/status/1495234649970421760?s=21

[**Update*** 23/2/22 – to mitigate the phishing attack users must follow OpenSea
recommendations explicitly via Twitter**]

By signing the transaction, an atomicMatch_ request would be sent to the
attacker contract, which he created a month ago prior to the attack.
(https://etherscan.io/address/0xa2c0946ad444dccf990394c5cbe019a858a945bd):



From there, the atomicMatch_ would be forwarded to the Project Wyvern
Exchange. atomicMath is responsible for all the Trading on OpenSea with minimal
trust. Atomic means that the transaction will only take place if all the
parameters of the transaction are met. And this is how all the NFTs are moving
around accounts at OpenSea.

This is why the attacker decided to use the atomicMatch to steal the victim NFTS
because this kind of request is capable of stealing all victim NFTS in one
transaction.

The flow of the attack looks as follows:

 1. Victim clicks on a malicious link from the phishing email
 2. The link opens a phishing website and asks the victim to sign a transaction.
 3. By signing the transaction an atomicMatch_ request would be sent to
    0xa2c0946ad444dccf990394c5cbe019a858a945bd (attacker contract).
 4. Attacker than forward the request to atomicMath at
    0x7be8076f4ea4a4ad08075c2508e481d6c946d12b (OpenSea contract)
 5. OpenSea Contract verifies all the parameters of the deal and executes the
    transaction because everything is signed by the victim and approved.
 6. OpenSea contract communicate with the NFT contracts and transfer the NFT
    from the victim to the attacker according to the atomicMatch

The whole process looks like that:



What is even more interesting here is that the attacker executes a dry run
before the attack. He tries to execute an atomicMatch to OpenSea and verifies
his attack.

As can be seen in the following screenshot:



From the transactions in the attacker account, Check Point Research can see that
the wallet has over 2 million dollars worth of Ethereum from selling some of the
stolen NFTs.

https://etherscan.io/address/0x3e0defb880cd8e163bad68abe66437f99a7a8a74#internaltx

How to stay safe?

 1. Many websites and projects request a permanent access to your NFT’s by
    sending you a transaction to sign. This transaction will give the
    websites/projects access anytime they want to your NFT unless you un-approve
    the transaction at the following link –
    https://etherscan.io/tokenapprovalchecker.
 2. Signing a transaction is similar to giving someone permission to access all
    your NFT’s and cryptocurrencies. This is why signing is very dangerous. Pay
    extra attention to where and when you sign a transaction.
 3. Phishing emails may be tricky. We don’t recommend clicking on links from
    emails no matter who is the sender, always try to find the same information
    on the website provider.


RELATED ARTICLES


CYBER ATTACKS ON GOVERNMENT ORGANIZATIONS BEYOND UKRAINE SURGE BY 21%


CLOUD VS. “TRADITIONAL” IT COMPLIANCE


CYBERSECURITY FOR BANKS – SECURING GROWING DATA CENTERS AND HIGH-FREQUENCY
TRADING PLATFORMS


CHECK POINT RESEARCH REVEALS LEAKS OF CONTI RANSOMWARE GROUP


FEBRUARY 2022’S MOST WANTED MALWARE: EMOTET REMAINS NUMBER ONE WHILE TRICKBOT
SLIPS EVEN FURTHER DOWN THE INDEX


EMPOWERING WOMEN IN CYBERSECURITY WITH CHECK POINT’S MAJORITY-FEMALE SENIOR
LEADERSHIP TEAM


8 TOP GIT SECURITY ISSUES & WHAT TO DO ABOUT THEM


LAPSUS$ RANSOMWARE GANG – A MALWARE IN DISGUISE


FAKE NEWS OF CYBER ATTACKS FAST-SPREADS, AS CONFLICT BETWEEN RUSSIA AND UKRAINE
ESCALATES


TELEGRAM BECOMES A DIGITAL FOREFRONT IN THE CONFLICT



--------------------------------------------------------------------------------

Follow Us
YOU DESERVE THE BEST SECURITY ™ ©1994-2022 Check Point Software Technologies
Ltd. All rights reserved.
Copyright | Privacy Policy


AddThis Sharing Sidebar
Share to FacebookFacebookShare to TwitterTwitterShare to LinkedInLinkedInShare
to RedditRedditShare to EmailEmail
Hide
Show
Close

AddThis

AddThis Sharing
FacebookTwitterLinkedInRedditEmail

We'd like to show you notifications for the latest news and updates.


AllowCancel