Pokémon NFTs used as malware vectors.

Researchers have uncovered a phishing campaign utilizing a fake Pokémon NFT game to distribute the NetSupport remote access tool (RAT) onto unsuspecting users’ devices.

Phishing with Pokémon NFTs.

Researchers at the South Korean AhnLab Security Emergency Response Center (ASEC) reportedly found at least two phishing pages, “pokemon-go[.]io” and “beta-pokemoncards[.]io,” offering the installer of a fake Pokemon NFT card game used to distribute the NetSupport RAT onto victim devices, Cybernews reports. Clicking the “Play on PC” button on the phishing page would download a faux game installer, containing in actuality the NetSupport RAT, ASEC said. Neither of the links were reportedly active as of Monday.

The NetSupport RAT.

The NetSupport RAT is a legitimate tool, described in a report by CyberSecurity Connect as “designed for use by administrators, allowing them to remotely access devices and fix issues. It is a powerful tool that allows for screen recording, remote control, system monitoring, network traffic encryption and much more.” However, ASEC marked the tool as “malware” because the program “was not distributed in a form used for normal purposes but rather in a form designed for the threat actor to control the infected system,” Infosecurity Magazine reports.

Expert commentary on Pokémon NFTs.

Adrien Gendre, Chief Tech & Product Officer and Co-Founder at Vade, discusses the appeal of the online economy to threat actors, and improvements in quality of phishing scams:

"The hook of this attack that makes it so appealing is the gamification of NFTs and how easy it is to lure in victims despite obvious warning signs of a potential scam. As NFTs have become more ubiquitous, and the tools to create them more accessible, hackers have leaned into this burgeoning online-economy to take advantage of users.

"However, this specific campaign highlights an ongoing trend among phishers: higher quality scams. Many users are not able to tell the difference between real and fake when scammers take the time to up-level their hooks. Many users might still assume that phishers only work off the mass-attack method where quality matters little as long as a few in a million victims respond. Instead, phishers are now sharpening their hooks to dig in deeper, engaging users with details that a victim would normally not associate with a scheme, such as a high quality Pokémon game with detailed digital tokens. 

"Users need to take the time to do their due diligence when approaching online interactions in the NFT space. With very little recourse when it comes to sales and transfer of ownership, the economy attracts threat actors who see a widely unregulated space that they can take advantage of. Knowing to not download untrustworthy files or install games that aren’t from a regulated source, such as Steam, is a key factor in defending against attacks like this."