Target:
Gaming Website
Communication Channels:
Telegram

Executive Summary

SafeGuard Cyber detected a phishing website that was sent to a Telegram channel being monitored as part of our work with Financial Services customers. The website is made to look like the legitimate website https://www.sandbox.game which hosts the Metaverse game called The Sandbox.

Event Analysis

– The website found at hxxps://thesandboxnft.net is spoofed to look like the Sandbox Game which is hosted at hxxps://www.sandbox.game. The goal of the website appears to be to scam victims into connecting their crypto wallets.

Key Takeaways

It is unknown if the attack was targeted directly at a particular user or if it was just trying to lure a user to inadvertently visit the website. The website is also detected by some anti-virus software, in this case, Avast.

The website contains the same content of the legitimate website and its only goal appears to be to scam victims into linking their crypto wallets. The legitimate website is hosted from Cloudflare, a cloud based host, and is hosted from the U.S. The fake website is hosted from a host based in Russia.

The fake websites are designed to be pages — that is, all the credentials you enter will end up in scammers’ hands, including the password and recovery phrase of your crypto wallet and other financial details.

Screenshots attached below.

Use Case

Visibility into business communication channels that could put customers and employees at risk.

Businesses can work with SafeGuard Cyber to build out custom machine learning to detect and alert on social engineering attacks targeting their Telegram users with fake websites that ultimately scam victims into linking their crypto wallets. 

Take SafeGuard Cyber's Security Tour to see first hand examples on how to prepare for and counteract.

Screenshots

Screenshot from SGC platform

message archive screenshot

This message from Omotayo was sent to a lot of people via a super group chat. While we don't know the extent of impact, this is a fake website and requires you to sign up using a crypto wallet.

Below is a screenshot of the fake website. At the top right of the webpage there is a “connect wallet” icon.

Picture2-1

Here is a screenshot of the legitimate website. The top right of this page allows the user to simply sign in and play the game. There is no “connect wallet” icon found on the main page.

Picture3-1

IOCs:
– URL: hxxps://thesandboxnft.net
– IP: 213.226.123.87

 

 

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.

Explore Security Product
, , ,
Image of Michael Tobey
Michael Tobey

Michael Tobey is a Malware Analyst for SafeGuard Cyber.

Related Content