Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Phishing Targets Phantom Wallet

The Solana Phantom Wallet

by Kervin Alintanahin

Phantom is a browser based crypto wallet where you can store, send, receive, stake and exchange tokens in the Solana blockchain. With the skyrocketing prices of crypto currencies including SOL, a crypto wallet is one of the things we can use in order to get into the crypto currency action.

Just recently there were several reports of wallets being wiped clean. An incident was reported by a user on twitter on how it happened. With just a copy/pasted message sent by a friend to a messenger group chat which includes a phishing link, he clicked it without verifying and it all went wrong from there.

And now, they are trying to run pay per click campaigns to target more unsuspecting users. We previously reported fraudsters using online advertising in a phishing campaign that targeted Axie Infinity users through a fake Ronin wallet page. Malicious ads are not uncommon and large ad platforms like Google have processes to identify and remove fraudulent content. However, we were able to spot a fraudulent ad before it was quickly spotted and removed by Google.

In this campaign, criminals trick users into creating a crypto wallet on a phishing site so the bad actors have access to the wallet. Once the victim transfers crypto into the wallet, the criminals steal the funds.

Here is a step by step of the attack.

  1. Victims are lured to the phishing page with a fraudulent online ad.
Ad for fraudulent phantom wallet

2. The ad linked to a phishing page designed to mimic the real Phantom site.

Phishing page to create Phantom wallet

3. The victims navigate the same user experience as they would when interacting with the real Phantom site. Below the user receives their Secret Recovery Phrase after choosing the “Create New Wallet” option

Recovery phrase for Phantom wallet

4. Then the user enters and confirms their wallet password. Note the user is still interacting with the phishing site.

Fake Phantom password page

5. Next the user receives instructions to open the malicious browser extension.

Instructions for the malicious browser extension

6. The criminals now have all the information from the victim they need to empty the crypto wallet.

Final screen of the Phantom phishing kit

7. And of course, to make the victim feel this process was legitimate, the “Finish” button redirected them to the actual Phantom site.

The real Phantom website

Although the ads were immediately taken down, there were already several transactions done in the wallet that was created in the phishing page. This is mostly likely because the phishing page was used prior to it being published via the short-lived advertisement.

Following the crypto currency transaction associated with the exposed wallet, some SOL ended up in this wallet which contains over 870,00 SOL.

https://explorer.solana.com/address/5VCwKtCXgCJ6kit5FybXjvriW3xELsFDhYrPSqtJNmcD

It is the same wallet that was used when the Nobu Ninjas NFT minting website was hijacked via DNS cache poisoning. Details of how the hacking transpired are on Nobu Ninjas Twitter page.

Best Practices and Recommendations:

As of this writing, the phishing page has been suspended. Users are advised to verify every link before clicking/opening the site. Also, browser based crypto wallets need to be installed first as an extension in the browser, not after creating the wallet. In this scenario, the option to create a wallet comes first so it should trigger a red flag that it most probably a phishing page.

IOCs:

  • https[:]//phhanton[.]app
  • https[:]//phanton-account[.]website
  • https[:]//phanton-account[.]space

References:

You might also like

What is Microsoft Office 365 Advanced Threat Protection?

Office 365 Advanced Threat Protection (also known as ATP and Defender) can provide your organization with advanced security features - keeping you protected from cybersecurity threats. With today's cybersecurity landscape, where new threats appear daily, if not...

The Hidden Costs of Phishing & BEC

By Max Avory A couple of months ago we sat down with Damian Stalls, vCIO director at Fluid Networks to discuss how they dramatically reduced the time their security analysts spent managing the problem of phishing, BEC, and user education. Here were some of the...