If you're a #nftcollector .. especially one that collects or has high valued #NFTs.. you may want to read this thread carefully..
What exactly is spear phishing?
Spear phish: targeted attack on either an individual or a selected group of individuals.
How does it start?
- open source intelligence (OSINT)
What does that mean?
- publicly available sources: Twitter, discord, TikTok, Instagram, GitHub, blogs, shodan, Google, LinkedIn, etherscan
What kind of information does a threat actor try to gain?
General: 1. Individual(s) name 2. Place of employment 3. Contact:
- all social media accounts
- email
- phone number
For those who are in NFTs or crypto: 1. All the above 2. Type of cold wallet (don't tell anyone what wallet you have...) 3. Types of NFTs (don't flex in your Twitter bio) 4. Eth address (think about Twitter giveaways...) 5. Pfp / username matching on all social media platforms
6. Devices (people who think it's a great idea to flex a new device they got - apple or new gaming computer)
What are the types of spear phishing? 1. Internal spear phishing:
- when threat actors are phishing the internal company (already have access to accounts or systems within the company - lateral movement phishing)
2. Spearphishing as a service:
- uses third party systems to gain information
- use of social media, personal email
- gain trusted relationship (to "trade" NFTs for example - always assume zero trust)
3. Spearphishing link:
- Use of links (we all know not to click on links but I've seen this happen when vulnerable new NFT brands are looking to increase their engagement by hiring "marketing agencies" and turn out to be more malicious than good - forms a trusted relationship.
- clicking on urls leverages User Execution (occurs after initial access)
Note* User Execution: threat actors rely on specific actions by the victim to gain execution
Spearphishing attachment:
- sending malicious attachments in either email, social media, images, PDFs, word documents
- payload exploits devices vulnerabilities
- usually bypasses device systems protection
How to reduce being a target & attack? 1. Don't flex in your Twitter bio of high valued NFTs 2. Have different usernames and pfp on all social media 3. Don't brag about gains online or physically 4. Assume zero trust
5. Don't click on anything that's not trusted: don't click on http, only click on https 6. Run a background check on any marketing agency before hiring 7. Careful on any crypto bots in discord 8. Update all devices and scan for malware weekly 9. Backup your devices monthly
10. Have situation awareness 11. Don't use free wifi at NFT or crypto conventions 12. Never bring your cold wallet to crypto conventions 13. Hover over the url and see if the url has any misspelling or is using http instead of https (sign that it may be malicious)
14. Don't do Twitter or discord giveaways or at least really try to do research before... 15. Don't fomo 16. In emails look out for:
- bad grammar / spelling mistakes
- unfamiliar greeting
- ANYTHING VERY URGENT
- image attachments (hover over the image - don't click and verify)
This is just a short snippet of basic to intermediate security. The attacks are only going to get more complex over time. Help me spread cyber security awareness 🙌.
Someone on #NFT spaces asked me about other ways threat actors can gain more user Intel without computer or phone.. Besides Christmas lights? Some toys that have bluetooth can be comprised and threat actors can use to spy or listen in on some conversations..
👇
1. Fisher-Price Chatter bluetooth has no secure pairing process. Threat Actors can exploit this in an audio bug.
2. "My Friend Cayla" bluetooth also has similar issues.
1. The difference between different phishing techniques:
1. phishing: community 2. spear phishing: targeted members of the community
3. whaling: brand owner 4. vishing: by phone 5. smishing: send messages by text 6. Angler phishing: sending direct message within social media 7. Pharming: malicious actors hijack a Domain Name Server (DNS), the server that translates URLs from natural language into IP addresses
8. Evil Twin: fake WiFi hotspot, often making it look legitimate, that might intercept data during transfer. 9. Watering hole phishing: threat actors research around the websites a brands employees visit often, then infecting the IP address with malicious code or downloads.