If you're a #nftcollector .. especially one that collects or has high valued #NFTs.. you may want to read this thread carefully..
What exactly is spear phishing?
Spear phish: targeted attack on either an individual or a selected group of individuals.
What exactly is spear phishing?
Spear phish: targeted attack on either an individual or a selected group of individuals.
How does it start?
- open source intelligence (OSINT)
What does that mean?
- publicly available sources: Twitter, discord, TikTok, Instagram, GitHub, blogs, shodan, Google, LinkedIn, etherscan
- open source intelligence (OSINT)
What does that mean?
- publicly available sources: Twitter, discord, TikTok, Instagram, GitHub, blogs, shodan, Google, LinkedIn, etherscan
What kind of information does a threat actor try to gain?
General:
1. Individual(s) name
2. Place of employment
3. Contact:
- all social media accounts
- email
- phone number
General:
1. Individual(s) name
2. Place of employment
3. Contact:
- all social media accounts
- phone number
For those who are in NFTs or crypto:
1. All the above
2. Type of cold wallet (don't tell anyone what wallet you have...)
3. Types of NFTs (don't flex in your Twitter bio)
4. Eth address (think about Twitter giveaways...)
5. Pfp / username matching on all social media platforms
1. All the above
2. Type of cold wallet (don't tell anyone what wallet you have...)
3. Types of NFTs (don't flex in your Twitter bio)
4. Eth address (think about Twitter giveaways...)
5. Pfp / username matching on all social media platforms
6. Devices (people who think it's a great idea to flex a new device they got - apple or new gaming computer)
What are the types of spear phishing?
1. Internal spear phishing:
- when threat actors are phishing the internal company (already have access to accounts or systems within the company - lateral movement phishing)
1. Internal spear phishing:
- when threat actors are phishing the internal company (already have access to accounts or systems within the company - lateral movement phishing)
2. Spearphishing as a service:
- uses third party systems to gain information
- use of social media, personal email
- gain trusted relationship (to "trade" NFTs for example - always assume zero trust)
- uses third party systems to gain information
- use of social media, personal email
- gain trusted relationship (to "trade" NFTs for example - always assume zero trust)
3. Spearphishing link:
- Use of links (we all know not to click on links but I've seen this happen when vulnerable new NFT brands are looking to increase their engagement by hiring "marketing agencies" and turn out to be more malicious than good - forms a trusted relationship.
- Use of links (we all know not to click on links but I've seen this happen when vulnerable new NFT brands are looking to increase their engagement by hiring "marketing agencies" and turn out to be more malicious than good - forms a trusted relationship.
- clicking on urls leverages User Execution (occurs after initial access)
Note* User Execution: threat actors rely on specific actions by the victim to gain execution
Note* User Execution: threat actors rely on specific actions by the victim to gain execution
Spearphishing attachment:
- sending malicious attachments in either email, social media, images, PDFs, word documents
- payload exploits devices vulnerabilities
- usually bypasses device systems protection
- sending malicious attachments in either email, social media, images, PDFs, word documents
- payload exploits devices vulnerabilities
- usually bypasses device systems protection
How to reduce being a target & attack?
1. Don't flex in your Twitter bio of high valued NFTs
2. Have different usernames and pfp on all social media
3. Don't brag about gains online or physically
4. Assume zero trust
1. Don't flex in your Twitter bio of high valued NFTs
2. Have different usernames and pfp on all social media
3. Don't brag about gains online or physically
4. Assume zero trust
5. Don't click on anything that's not trusted: don't click on http, only click on https
6. Run a background check on any marketing agency before hiring
7. Careful on any crypto bots in discord
8. Update all devices and scan for malware weekly
9. Backup your devices monthly
6. Run a background check on any marketing agency before hiring
7. Careful on any crypto bots in discord
8. Update all devices and scan for malware weekly
9. Backup your devices monthly
10. Have situation awareness
11. Don't use free wifi at NFT or crypto conventions
12. Never bring your cold wallet to crypto conventions
13. Hover over the url and see if the url has any misspelling or is using http instead of https (sign that it may be malicious)
11. Don't use free wifi at NFT or crypto conventions
12. Never bring your cold wallet to crypto conventions
13. Hover over the url and see if the url has any misspelling or is using http instead of https (sign that it may be malicious)
14. Don't do Twitter or discord giveaways or at least really try to do research before...
15. Don't fomo
16. In emails look out for:
- bad grammar / spelling mistakes
- unfamiliar greeting
- ANYTHING VERY URGENT
- image attachments (hover over the image - don't click and verify)
15. Don't fomo
16. In emails look out for:
- bad grammar / spelling mistakes
- unfamiliar greeting
- ANYTHING VERY URGENT
- image attachments (hover over the image - don't click and verify)
This is just a short snippet of basic to intermediate security. The attacks are only going to get more complex over time. Help me spread cyber security awareness 🙌.
Stay frosty #nftcollector #NFTartist
Stay frosty #nftcollector #NFTartist
• • •
Missing some Tweet in this thread? You can try to
force a refresh
