Many popular brands are trying to cash in on the NFT craze, and Ferrari is no exception. The famous sports car brand announced its intentions to get into the game several months ago, but has yet to release NFTs of its popular vehicles. Some hackers beat the company to the punch, using a compromised subdomain to host an NFT scam taking advantage of the project’s slow development.
Ferrari NFT scam makes off with some money, but appears to have overall minimal impact
The thieves appear to have made off with less than $1,000 in the NFT scam, owing to quick action to shut it down once it was noticed.
The incident is the result of an unknown party breaching a Ferrari subdomain used to host forms, and it comes as the high-end car company begins expanding into both the crypto world and Metaverse in an ambitious way. From late 2021 to early 2022 Ferrari has announced a variety of general plans in these areas, but has been slow to provide specifics or follow through with concrete offerings.
Ferrari’s first venture into this world was the addition of one of its famous racing cars to the popular game Fortnite in 2021. The company has promised NFTs based on its cars, but that project is still in the works and not much information has been made available to the public.
Unknown party takes advantage of Ferrari-Velas announcement to deploy NFT scam
Ferrari has partnered with blockchain and esports developer Velas AG to create a series of NFTs based on the company’s vehicles and racing teams. These NFTs are not yet available, creating an opening for the hackers to concoct an NFT scam.
The attackers, who remain unidentified at this time, exploited a vulnerability in Adobe Experience Manager (a piece of digital document software also used for building websites and mobile apps) to gain illicit access to the “forms.ferrari.com” subdomain. This allowed them to create and post a fake page on the domain touting the non-existent “Mint Your Ferrari” NFT program.
The NFT scam saw the fraudsters take Ethereum payments to a crypto wallet through the fake page, for digital assets they had no intention of delivering. Monitoring of the wallet address they provided shows that they collected about $800 in payments before being shut down and that the attackers have gradually filtered all of the money out of the wallet. There is no word yet from Ferrari about any potential reimbursement for victims.
The scam was quickly noticed by independent hacker and bug bounty hunter Sam Curry, who posted about it on Twitter. The attack appears to have lasted for less than a day before Ferrari took down the compromised subdomain, and Etherscan has flagged the wallet that was used for suspicious activity. NFTs have not been spared some damage in the recent crypto market crash, but had been on the decline prior to that after peaking in value in February.