NFT Scams Part 2: Typosquatting Attacks targeting NFT marketplace users

BOLSTER has also paired this article with a FREE Cryptocurrency Scams Report.

Before we get started, there are a couple of terms I would like to introduce:

Typosquatting domains: Typosquatting domains are lookalike domains targeting a brand. They look very similar to the brand’s legitimate domain and are hard to tell apart. For example, rarible[.]com is the legitimate website of the famous NFT marketplace Rarible. rarbile[.]com is a typosquatting domain targeting Rarible.

Typosquatting attacks(/scams): Some typosquatting domains are registered and used for malicious purposes. They lead users to scam/ fraud pages or trigger malware downloads. For example, when you enter rarible[.]com in your browser’s URL address bar, you land on Rarible’s website. When you enter rarbile[.]com you are redirected to a webpage that downloads malware onto your computer (more details & proof in the coming sections).

The problem of typosquatting has been ever-existent in the world of online fraud. Almost every brand and industry we monitor is a target of these attacks. Brands operating in the NFT space are no exception. In this blog, we will go over examples of such scams, how to identify them, and how to protect yourself. There is also a bonus section on how brands can protect themselves and their users.

Attack Alert: Typosquats redirecting to Malware Downloads

Domain: rarbile[.]com

If you observe closely rarbile[.]com is a simple exchange of letters ‘b’ and ‘i’ compared to the legitimate rarible[.]com. We make these mistakes (typos) often and more so while on our phones. This is exactly what the attackers want you to do.

I’ve recorded a video of what happens when you enter rarbile[.]com in your browser’s URL address bar. It leads to a webpage prompting users to download the adobe flash player. In case you have not come across this before, Adobe stopped flash player support and also released a statement asking users to uninstall it for security reasons.

You can see in the video that I went ahead, downloaded it, and scanned it on VirusTotal. That file was flagged as a threat by 16 different security vendors.

Mistyping the domain name in the URL address bar is not the only way one can land on these typosquatting sites, someone can send you a URL with this domain in a messaging group, and you would not be able to spot it out unless you observe carefully.

As discussed in the first blog about NFT scams, Bolster advised users to be aware of such links shared in Telegram (or any other social media) groups.

Domain: wwwrarible[.]com

What would you do if someone texted you or emailed you the following link hxxps://wwwrarible[.]com/token/<nft_token_identifier> and asks you to check it out. If you observe closely, the link you received is ‘wwwrarible[.]com’, not ‘www[.]rarible[.]com’. It’s a different type of typosquatting attack leading to the same result.

Domain: rareible[.]com

rareible[.]com is another example of a typosquatting attack that leads to malware downloads. If you are trying to replicate this on your end, I would advise the following:

  1. Be careful, do not download the malware. If it auto downloaded – do not execute it.
  2. The redirects do not always take you to the malware downloads page. They can also redirect you to a random domain parking page sometimes.

Attack Alert: Typosquats redirecting to fake sweepstakes/ gift cards

Domain: rareble[.]com

The case of rareble[.]com is quite similar to the rarbile[.]com or the others discussed in the above section. The domain looks similar to rarible[.]com and is a typosquatting scam. What differs is the scam we end up at. Unlike the previous ones, this one leads users to a fake sweepstakes/ gift cards scam page.

This paragraph is for readers who are not aware of the fake sweepstakes/ gift card scams. Scammers offer prize money or gift cards to a user after playing a game. On rareble[.]com it’s a spin-to-win game. At the end of the game, the page prompts users to enter their personal information – name, physical address, phone number (occasionally credit card information) or redirects them to a survey page. The user will never receive the prize they were promised but will give away personal information to the scammers.

Here is a video showing how rareble[.]com is being abused to mislead users to a scam page

Trend Analysis

Here is the list of the typosquatting attacks we discussed in this blog so far:

Domain Registration Date
wwwrarible[.]com 26th March 2021
rarbile[.]com 1st March 2021
rareble[.]com 1st March 2021
rareible[.]com 19th February 2021

If you see the domain registration date column, you can quickly point out that they were recently registered. In the first part of this series, I claimed that the spike in suspicious domain registrations is a precursor to scams that will pop up. The typosquatting domains in this blog are a subset of the suspicious mentioned in the first part of this series.

Other Attacks:

Apart from malware downloads and fake sweepstakes, here is a list of other types of typosquatting scams/ attacks NFT users can expect to see:

  1. Pages impersonating an NFT marketplace and asking users to connect their crypto wallets. This could also be extended to hosting a replica (or fake) store on a typosquatting domain.
  2. Competitor redirects: We have seen typosquatting domains used for redirecting users to competitor websites in the past. We expect the same to happen with the NFT. Here is an example that is possibly targeting NFT marketplace SuperRare. Even though it is not hosting any scam, the ‘Artwork’ and ‘Paintings’ (relevant terms to SuperRare and its users) sections of the webpage are redirecting users to different websites selling art.

Quick Tips: Protect yourself from NFT typosquatting attacks

Here are a few tips to protect yourself from such typosquatting attacks:

  1. Before entering any information or download anything, carefully look at the domain. Look for misspellings or typos.
  2. Try to understand & question the intent of the webpage. Why are they giving away free prizes? Why is it asking me to install a flash player? Try googling out to see if the legitimate brand is doing a giveaway.
  3. If you come across a suspicious-looking URL, scan it on a site like CheckPhish to determine if it’s a scam.

Quick Tips: Protect your brand from NFT typosquatting attacks

If you are brand operating NFT space, here are a few tips to protect brand from such typosquatting attacks:

  1. Monitor: Frequently check and monitor active typosquatting domains that might target your brand.
  2. Register: Proactively register high-risk typosquatting domains that might target your brand.
  3. Takedown: Build a takedown service to take typosquatting domains hosting scams or work with a vendor to take them down.
  4. Educate: Educate your users and your employees on how they can protect themselves from these attacks.

Thank you for reading the blog and see you in the next one!

Have suspicious links? Scan them on CheckPhish

Looking to protect your brand from online fraud? Reach out to us here

Read more about our Automated Website Takedown Services here

Also, if you are interested in building cool technologies like this, we want you. Check out open positions here