Phony (NFT) Airdrops are Targeting Solana (SOL) Wallets to Steal Passwords & Digital Assets

1 min read

REPORT

Fake NFT Airdrops Attempting To Compromise Solana (SOL) Wallets and Siphon Crypto Assets

According to a new report by BleepingComputer, attacks began two weeks ago and pose as needed Phantom security upgrades titled “PHANTOMUPDATE.COM” or “UPDATEPHANTOM.COM”

By allowing the updates, the malware is downloaded by the user. It is unclear exactly what is the source of the malware but it is designed “to steal browser information, such as history, cookies, and passwords, as well as SSH keys and other information,” per the report.

“When opening the NFTs, wallet owners are told that a new security update has been released and that they should click the enclosed link or visit the site to download and install it. ‘Phantom requires all users to update their wallets. This must be done as soon as possible,’ reads the warning in the fake Phantom update NFT. ‘Failing to do so, may result in loss of funds due to hackers exploiting the Solana network. Visit www.updatephantom.com to get the latest security update.’”

The report suggests it may be MarsStealer, a previous malware effort using a similar file name.

“The goal of this campaign is likely to steal cryptocurrency wallets and passwords that would allow the threat actors to steal all crypto funds and compromise other accounts belonging to the victim.”

Those who fall victim to the scam should take several steps, according to BleepingComputer.

“Victims who installed the fake Phantom security update should immediately scan their computer with an antivirus program and then transfer crypto funds and assets from their existing Phantom wallet to a new one.

Next, victims should change their passwords on all sites they use, focusing on cryptocurrency trading platforms, online wallets, bank accounts, email, or other sensitive platforms.

Ultimately, victims should change their password to a unique one for every site they visit to prevent credential leaks at one site from affecting other sites.”

 

 

Via this site