OpenSea phishing attack: a prime example of incompetent security practices

In the last few days, OpenSea has seen a lot of NFTs being stolen:

As of yet, whether or not the attack was purely the result of phishing, a code exploit, or both is unclear. One thing that is abundantly clear is that OpenSea has absolutely no clue about security, though that doesn’t come as a surprise.

OpenSea — and its users — were extremely vulnerable to this for a bunch of reasons.

Reason 1: OpenSea’s official migration email looks like a phishing scam itself

This is what the email looked like:

Anyone who has been on the internet for more than a week will immediately identify this as looking very much like a phishing email in and of itself, for it bears almost every single hallmark of a phishing scam:

• Short deadline, making the recipient believe they should act quickly and not think too much
• Statement that old assets will expire if the recipient doesn’t do the requested actions by the deadline
• Zero identifying details of the recipient (no name, no username, no anything — just “hi there”), indicating the sender doesn’t actually know who the recipient is

Without checking the links this email goes to, it looks very much like a phishing email. As a result, there is very little to differentiate a real phishing email from this one, making it an easy target.

Reason 2: Most NFT users are dangerously incompetent at cybersecurity

You might fairly wonder why this is a point in itself; after all, most internet users aren’t competent at cybersecurity. It’s an important point because unlike other internet users, who are aware of their own lack of knowledge on this subject, NFT users display a severe case of the Dunning-Kruger effect when it comes to cybersecurity.

As I stated in previous articles, the biggest threat by far when it comes to compromised security on the Internet today — no matter what kind of security you’re using — is attacks that target users themselves, convincing them to give up their credentials unknowingly. In other words, phishing attacks. NFT users, incompetently believing that blockchains are some kind of unbreakable security (and thinking themselves above being caught by phishing attacks, when in fact they are extra vulnerable to them due to trading on FOMO logic) fail to recognise this and are thus easy targets.

This fact is self-evident in their belief that encryption, blockchains, or anything else can prove ownership or validity, a concept only an incompetent person could genuinely believe. It is further shown by this specific phishing situation; if indeed NFT users understood security, they’d also realise that blockchains do not protect from any of the most popular attacks, yet they do not.

Reason 3: No company should ever send out an email asking for fast changes like that

Practically the entire recent history of Internet security, when it comes to websites and companies warning users about scams, can be summarised thus:

“Our company will never send you an email asking you to do X or Y. Our company will never ask for A or B credentials in a phone call or call you without you contacting us first.”

Precisely because of the fact that “do this in a week or else” emails render users very vulnerable to phishing attacks, banks and other companies never, ever do them — it is a basic and critical part of security. If for some reason users need to be told about performing some action, you give them several months to do it, not a week, and send several emails making absolutely sure your users are fully informed about the entire process timeline, where they can go to ask questions, etc. This way, you prevent users from acting without thinking due to time pressures.

OpenSea, it seems, missed basic cybersecurity class when it comes to this point; sending users an email asking for fast action is one of the most elementary, egregious errors that it is possible to make.

As some examples, Authorised Push Payment fraud does exactly the same thing that OpenSea has just done: call someone claiming to be their bank or official provider, tell them their assets are under threat and they must be migrated to a “safe” account straight away. Other forms of this fraud exist in many other places; courier scams involve sending texts to random phone numbers, telling them a parcel failed to deliver to their address and now they must reschedule it and pay a fee quickly or have their parcel returned.

Conclusion

The moral of this debacle is: don’t even *think* about sending users emails demanding action within short timeframes, unless you want your users to be compromised. This is true a hundred times more for companies that deal directly with financial assets (or pretend financial assets, like crypto, that can be traded for real financial assets).