Fake Pudgy Penguins phishing page 'plays dead' when it thinks it's being probed to avoid detection

There's a chance, if you don't care about / dislike NFTs (same), Web3 games (same), or cryptocurrency (three for three), you've never heard of Pudgy Penguins. But the NFT brand has somehow made its way onto Walmart shelves and launched a game this month, which has already been hit by a pretty nasty phishing scam.

As pointed out by Malwarebytes, the phishing site abuses the fact that the web browser game Pudgy World connects to users' crypto wallets to verify digital items.

The site is intended to mimic the verification step, which shows the user a fake wallet unlock screen. This then redirects them to hand over all of their information. "To the user, it looks for all the world like the real crypto wallet software they already trust."

Article continues below

Malwarebytes notes that the level of detail on this phishing site is high, not only accurately replicating the site's design but even a pop-up window to resemble Reown WalletConnect, a wallet connection library that Pudgy World uses.

Interestingly, the fake pop-up then renders an overlay, designed to look like the legitimate unlock screen. Where Pudgy World might send users to their own downloaded software, this website instead employs an overlay, tricking them into believing their own applications are being used.

"For every browser extension wallet on the list, the phishing site renders an unlock screen built to match the real extension’s own visual identity, with the correct logo, colour scheme, button layout, and wording."

The cunning tricks don't end there. Malwarebytes notes it's a "page that plays dead for researchers" by testing hardware, checking if it's run in a virtual machine, and looking for automated tools. Effectively, the malicious element of the attack simply doesn't load if it suspects researchers are accessing it.

Crypto owners are among those most targeted by hackers, likely related to the amount of currency they have in their wallets, and how easy it is to obscure transactions through the blockchain. Just last month, we saw a social engineering scam deepfaking CEOs, using fake troubleshooting programs to steal cryptocurrency. Even Cloudflare's recent report on today's threat landscape echoes a focus on cryptobros.

Naturally, to avoid being caught up in any scam, be vigilant of sites you enter, what information you give away, and the people who talk to you. Scams are only getting smarter, so users and cybersecurity experts have to get just as smart in response.