Today, Blockaid researchers discovered a phishing attack where an attacker was able to leverage a vulnerability in Email Service Provider Mailer Lite to impersonate web3 companies including Wallet Connect, Token Terminal, CoinTelegraph, de.fi, and potentially others. Due to this compromise the attackers were able to send convincing emails to end users, linking to malicious wallet drainers which drained over $600k, while Blockaid instantly protected millions of users and was able to safeguard $2.7M.

• blockaid - zerion
• blockaid - rainbow
• blockaid - metamask

Attackers were able to take advantage of the fact that Mailer Lite had previously been given permission to send email on behalf of these site’s domains, enabling them to craft emails that seemed to be coming from these organizations. Here’s what those emails looked like:

• wallet connect
• cointelegraph
• token terminal

Attackers were able to take advantage of “dangling dns” records which were created and associated with Mailer Lite (while these services were using mailer lite). However after closing their accounts these dns records remain active, giving attackers the opportunity to claim these mailer lite accounts and thus the capability to issue emails using official dns records.

• token terminal
• wallet connect
• cointelegraph

These emails led to a handful of malicious dApps that utilize Angel Drainer Group infrastructure (of Ledger Connect Kit attack fame), here are some examples:

• wallet-connect.io
  • image
• cointelegraph10th.com
  • images

Angel drainer has increased its velocity of launching malicious dApps, indicating that there is an uptick in attacks on users. The below graph shows the daily number of requests pinging Angel infrastructure, which increased dramatically on the 16th of the month and remains high.