Scammers are everywhere, so crypto enthusiasts using the Discord should be aware of this phishing scam.

Background Information

The blockchain ecosystem is still very much like the wild west; anything is possible in this world. If we want to establish a safe and secure environment for everyone, we must always remain one step ahead of malicious parties.

In our recent publication, The Blockchain Dark Forest Self-help Manual, it mentioned methods of phishing incidents on Discord of NFT projects.

In this article, we will explain how these incidents were made possible so you can stay vigilant at all times. One method used was to obtain the discord token of NFTs projects through malicious bookmarks and use it to post phishing links.

Phishing Incidents

Let us begin by examining an incident that occurred on March 14, 2022. According to a tweet by @Serpent, the Wizard Pass NFT project’s Discord server was infiltrated by scammers, and NFTs such as BAYC, Doodles, and Clone X were stolen.

Details below:

https://twitter.com/SerpentAU/status/1503232270219431941

Here’s an explanation by @Sentinewtf:

https://twitter.com/sentinelwtf/status/1496293768542429187

The bookmark mentioned here is a browser bookmark. The contents of this bookmark contain a piece of malicious JavaScript code. When a user clicks on the malicious JavaScript code, it executes the Discord domain where the user is located and steals the token. Once the attacker gains access to the NFT projects’ discord token, they can directly take over relevant permissions of the account.

Background knowledge

This incident requires the readers to have some technical background. Current browsers have their own bookmark managers, which provide convenience but can be easily exploited. By carefully constructing a malicious phishing page, the attacker can trick you into inserting a piece of JavaScript code into your favorite bookmark. Once you click on the bookmark, it will be executed in the domain of the current browser tab.

In the example above, the victim opens discord.com from the official website. Next to it, I clicked on the malicious bookmark “Hello, World!” that I had previously saved. A pop-up statement is executed, and the source of execution shows discord.com.

There is a concept of domain here. Browsers have protection policies such as the same-origin policy. There is a concept of domain here. Browsers have protection policies such as the same-origin policy. Operations that don’t belong to discord.com should not respond to pages on discord.com, but bookmarks don’t follow this rule.

It is foreseeable that such a small function of bookmarks has hidden security issues. The bookmark URL is obvious when normally adding bookmarks.

Disclaimer: As a blockchain information platform, the articles published on this site represent the personal views of the authors and guests, and have nothing to do with Web3Caff’s position. The content of this article is for information sharing only, and does not constitute any investment advice or offer, and please comply with the relevant laws and regulations of your country or region.