NFTs Emerge as the Next Enterprise Attack Vector

Cybersecurity has to be a top priority as enterprises begin incorporating the use of nonfungible tokens (NFT)into their business strategies, brand-awareness campaigns, and employee-communication efforts, experts say.

A recent malware campaign that targeted online artists with a lure about lucrative nonfungible token (NFT) projects is a good indication of how threat actors are capitalizing on the snowballing interest in digital goods — and it has implications for the growing number of corporate brands trying to ride the NFT wave, too.

The campaign, which researchers from Malwarebytes observed, involved messages purporting to be from the NFT project Cyberpunk Ape Executives. These were sent to digital art creators on online platforms such as DeviantArt and Pixiv, and they invited the recipients to work with the people behind the Cyberpunk Ape project to create new NFT characters. They also promised them $350 per day by way of compensation.

A link in the message directed recipients to more information about the project. When users clicked on it, they were sent to a site that downloaded multiple images of apes that purported to be examples of NFTs from the project. One of the images was an executable file, which when opened infected the user’s system with an information stealer.

Malwarebytes said it observed several account holders on platforms such as Pixiv and DeviantArt complaining about their accounts being used to spam others with messages about the same Cyberpunk Ape Executive NFT project. Malwarebytes said it couldn’t confirm if the information stealer itself was responsible for the account hacks or if some other form of phishing was involved.

NFT-Related Cybercrime: A Rapidly Growing Threat
The campaign is one in a rapidly growing number of NFT-centric attacks, security researchers say. Most of them, for the moment at least, is aimed at people working directly in the NFT space, says Chris Boyd, lead malware intelligence analyst at Malwarebytes. “However, as more mainstream businesses adopt NFT projects or look to get involved with blockchain, it will quickly become a concern across more traditional industries,” he predicts.

Analyst firms such as Gartner and Forrester already predict a world where NFTs will play a crucial part in enterprise strategies over the next few years. Gartner included NFTs in its 2021 hype cycle for emerging technologies, and it has described them as one of the technologies that could have the most significant impact on business and society over the next 10 years. The analyst firm expects NFTs will play a fundamental role in an emerging metaverse where organizations try to provide better engagement, collaboration, and connection with employees and others through immersive virtual workplaces. 

Forrester also has pointed to organizations such as insurance firm State Farm jumping into the NFT space with a football-themed treasure hunt as an example of how a quickly growing number of enterprises are experimenting with nonfungible tokens.

Harvard Business Review earlier this year described initial enterprise efforts around NFTs as focused on launching their own digital collectibles — such as Campbell’s soup can art. HBR predicts that in the next few years, NFTs could become the “central digital touchpoint” between enterprises and their customers.

A Variety of Attacks
Boyd says Malwarebytes researchers have been observing a variety of NFT and cryptocurrency threats daily. 

“The most common attacks try to trick cryptocurrency enthusiasts into handing over their wallet’s recovery phrase,” he says. Users who fall for the scam often stand to lose access to their funds permanently, he says. “Bogus Airdrops, which are fake promotional giveaways, are also common and ask for recovery phrases or have the victim connect their wallets to malicious Airdrop sites, he adds, noting that many fake Airdrop sites are imitations of real NFT projects. And with so many small unverified projects around, it’s often hard to determine authenticity, he notes.

Oded Vanunu, head of product vulnerability at Check Point Software, says what his company has observed by way of NFT-centric attacks is activity focused on exploiting weaknesses in NFT marketplaces and applications. Read more:

You can also read this: Rarible NFT Marketplace Flaw Could’ve Let Attackers Hijack Crypto Wallets

Leave a Reply

Your email address will not be published. Required fields are marked *