OpenSea Hack / Scam
First off: I do not mean to spam your notifications. So every article in this newsletter is purposeful and provides actual value. If you ever feel like it does not please reach out and I'll address it the best way possible.
So, over the last 2 days, several OpenSea wallets have been compromised (= NFTs moved away = stolen). Twitter talks about 32 wallets only but there is still a lot of unknowns with the issue. Nonetheless, it makes sense to discuss the issue in general.
Email Scams
You know what they are. It is an email that looks like it is from your bank (or OpenSea) and tells you something that will prompt you to log in and check out your stuff. Problem is that the login page you see is not actually your bank or OpenSea but a scam website that will collect your information to then empty your wallet. How does this work in general?
Emails are sent from one server to another server. Every server could (given it has the right program installed) send any email to any other server. We identify emails with their domains. So [email protected] is sent to the servers behind "gmail.com". But everyone can send stuff to that email. When you privately send an email, it usually looks like "[email protected]" sends an email to "[email protected]". An email also has a title, a text body, and potential attachments. Emails, like websites, also have what are called headers. Headers are invisible to the user, they are solely used by the email clients (note, not the servers!) to help decode an email. So for example, a header will specify that an email actually contains HTML and so your email client will render the email colorful with all that the HTML delivers. Headers also specify things like the name. An email will always originate from a concrete [email protected] email. And there is no way to change that. But there is a way to specify the sender for the client. You see this whenever there is a name given. Like it usually says in emails "Ralph Kuepper <[email protected]>" is the sender, not just the [email protected]. That is defined in the email header. Now, that header can also say "OpenSea Team <[email protected]>" but it actually comes from another email. And that is all you really need to send scam emails.
领英推荐
Contract Signatures
Smart contracts are powerful beasts. They can do close to nothing (like a standard ERC20 token) or they can do everything (Uniswap, OpenSea's contracts, etc.). A smart contract can actually empty your wallet within seconds, that is not a problem to do. The problem is to get you (!!) to sign a message that authorizes that smart contract to do that. Think of it as giving your house key to a store to get it duplicated. And that's what scammers typically do: Provide a website that looks very similar to OpenSea under a similar domain. Typically it is something like "openseq.io" (notice the "q" instead of the "o") or it is simply chained: "opensea.io.collection.something.io". Humans are lazy and only read the first part or overlook the little differences. Once you are on the site, and you think it is OpenSea, and it asks you to sign something with Metamask most humans would react with "why would I not?". They think this is intended by OpenSea but it is actually someone else altogether.
In the case of the OpenSea scam this weekend there is still a lot that has not been figured out. The exact scam site has not been discovered yet, though OpenSea says it was not through opensea.io. So we will see where this goes but the bottom line is this:
Be EXTREMELY (!!!!) careful with what you sign on Metamask. In case of doubt just don't. Also, I personally keep a few burner ETH addresses in my Metamask that I will use for "strange" websites, etc. You don't have to have just one address, have a few and know which ones you should never use (because you never want to sell the NFT, right ;) ).
If you ever have been scrammed and lots of NFTs please do reach out to me (via DM) and I'll give you some (not very valuable) NFTs. It won't fix the hurt but I do want you to know that I (and many others) care about you and your loss.
#web3 #nft #opensea #scam
--
1 年[email protected] Is this a scam ???
FABRICA DE PAN
1 年[email protected] tambien es uno de ellos verdad
9+ Yrs | Full-Stack WordPress Developer | Plugins, Figma to WP Themes
1 年+1 to scam, I suppose https://prnt.sc/ecWdtOO_fYGZ I’m trying to finalize the payment and this message came in Tried making payments twice but not going through.. kindly contact the live support Below to find out the reason I can’t purchase your works Kindly copy that email go to your email address and send them an email that a customer is trying to purchase your art but the transaction is declined so they can resolve the issue immediately contact support?????? [email protected]