Pudgy Penguins NFT users targeted by malicious Google ad campaign

A sophisticated phishing campaign has been uncovered, targeting users of the Pudgy Penguins NFT project through malicious Google Ads.

The attack uses advanced mechanisms to exploit vulnerabilities in Web3 wallets and ad networks, exposing unsuspecting users to significant risks.

Researchers, including ScamSniffer, have identified the malicious ads as part of a broader effort to deceive crypto enthusiasts, raising concerns across the Web3 ecosystem.

 

 

The incident underscores the growing need for heightened vigilance, robust security practices, and better regulatory oversight among NFT holders and Web3 participants to mitigate these threats effectively.

How the NFT phishing attack works

The attackers utilise Google Ads to distribute phishing scripts hosted on the Adloox tracking domain.

These scripts scan users’ browsers for Web3 wallets. When a wallet is detected, the user is redirected to a fraudulent site—pudqypenguin[.]com—designed to steal wallet credentials.

What sets this campaign apart is its ability to exploit Prebid.js, a widely used header bidding API library.

Websites integrating the Adloox analytics module may unknowingly transmit malware-laden scripts, making users more vulnerable to such attacks.

Although Pudgy Penguins NFT users are the immediate targets, researchers warn that the method could easily be adapted for other Web3 projects, amplifying its potential impact.

The attack’s sophisticated nature and its reliance on established advertising frameworks highlight a worrying trend in phishing tactics, especially for the crypto industry.

With growing reliance on Web3 wallets for transactions and asset storage, the repercussions of such breaches could extend beyond individual users, affecting the broader ecosystem, reducing trust in decentralised platforms, and impacting the confidence of new Web3 adopters.

Mitigation measures

Following the exposure of this campaign, calls for proactive user measures have intensified. Recommended steps to minimise risks include:

ScamSniffer, a phishing detection tool, has also proven effective in identifying and mitigating similar threats. The swift response of researchers like ZachXBT has been pivotal in addressing the immediate risks.

After the campaign was publicised, Adloox removed the compromised JavaScript files, halting further damage and offering some relief to affected users.

This phishing campaign is a wake-up call for the Web3 community, emphasising the importance of user education, secure browsing practices, and vigilance in the rapidly evolving crypto landscape.

As attackers continue to refine their methods, both users and platform providers must adopt comprehensive security measures to safeguard the integrity of digital assets and interactions.

Collaborative efforts between security researchers, ad networks, and Web3 developers will be essential in preventing future attacks of this scale and complexity.