Cyber criminals looking for a quick payout and valuables are targeting digital artists using NFTs (non-fungible tokens), warns security researcher Bart Blaze.
The attackers are taking advantage of the artists’ desire to work and earn money to trick them into downloading information-stealing malware that will help them raid their crypto wallets and break into their various online accounts (email, IM, gaming, banking, etc.).
The various tricks criminals use for targeting digital artists
In one variation of the attack, it all starts with the attacker adopting an entirely fake persona, contacting the artist (usually via Twitter, Instagram or email) and commissioning a bespoke piece of digital art.
In another, the attacker poses as an employee of an existing software company and asks the target to beta-test photo editing software in return for payment in ETH (Ethereum).
In both cases, the attacker asks the targeted artist to accept / download and open a .src file (ostensibly an example of how the art piece should look) or an archive file (with the .src or other types of executable files inside).
Those who open those files without checking whether they are possibly malicious may ultimately be saddled with the RedLine infostealer, which is capable of:
- Collecting system information
- Stealing username and password from browsers
- Steal crypto wallet information from Chrome extensions and wallet.dat files
- Steal data from other software (e.g., Steam or FileZilla)
- Execute commands by the attacker (e.g., download other files, open link, etc.)
Once all this data is collected, the attacker can start logging into the target’s accounts, attempt to steal their tokens, impersonate them, install other malware, and so on, Blaze notes.
What to do before and after an attack?
A number of digital artists have already fallen for the trick or have identified it as a scam are warning others via Twitter.
WARNING TO ALL ARTISTS
Got a DM from "John Billmate" claiming to be "Responsible for distribution of photo editor" from @SkylumSoftware
DO NOT OPEN ANY LINKS FROM THIS PERSON. This is a scam, and if you got this DM, or get a dm in the future, block it. #NFTCommunity #skylum pic.twitter.com/yQv68bRIjW
— Cloudy Night ☁️ (@CloudyNight_k) June 11, 2021
Blaze advises potential targets (in this particular case, Windows users) to make sure their OS and anti-virus software is up-to-date, their Windows Firewall enabled, their UAC (User Account Control) set to the maximum level, and to make file extensions visible on their system.
In addition to this, he recommends using unique passwords on all accounts (and using a standalone password manager), enabling 2FA or MFA on those accounts when that is possible, using a hardware instead of software wallet, and storing one’s seed phrase offline.
Finally, digital artists should carefully evaluate the legitimacy of previously unknow potential customers and refrain from running files with dangerous extensions or opening archive files from people they don’t know / trust.
This list contains dangerous file extensions you should avoid if aren't from trusted sources:
bat, bin, cmd, com, cpl, exe, gadget, inf, ins, inx, isu, job, jse, lnk, msc, msi, msp, mst, paf, pif, reg, rgs, scr, sct, shb, shs, u3p, vb, vbe, vbs, vbscript, ws, wsf, wsh.
— 🌈 ArielBeckerArt.eth #SquidGang 🦑 (@arielbeckerart) June 10, 2021
Sometimes anti-virus software will spot and block the malicious file, but often attackers employ tricks to stymie it.
“You can also Google any information they send through to further verify their claims,” Blaze added.
Those who fall for such a scheme are advised to, first and foremost, contact their NFT marketplace and cryptowallet providers to try to block the account takeover, and then start changing passwords on other accounts (email, banking, etc.) from another uncompromised device and start searching their machine for evidence of compromise.