3/10 Phishing Email

What happened?

At around 8:30 am Pacific Time on March 10, 2022, an attacker gained access to a third-party email service used by the Celo Foundation to manage some of its community mailing lists. The attacker persistently targeted this vendor with social engineering attacks directed at the customer support team. Eventually, the attacker did obtain the primary account holder name, and was able to create a new account allowing them to access the service.

The attacker accessed a Celo community contact list held with the third-party vendor. The attacker sent a phishing email to the full contact list of 25,741 users with subject "Your Celo wallet might be comrpomised [sic].” The phishing email included a link to a fraudulent website directing users to enter their recovery phrase.

If we learn that the attacker downloaded the list of contacts, we will follow-up with any individuals who have been impacted. Importantly, no passwords, login credentials, or recovery phrases are contained in these records.

The Celo Foundation’s accounts have multi-factor authentication enabled and, to our knowledge, at no time were Celo account credentials compromised during this event.

How did the Celo Foundation respond?

Our Security team identified the phishing attempt minutes after the email was sent, and then posted warnings on Twitter and on Celo’s Discord server. The Valora Security team also sent a push notification to every Valora user warning of the attack.

The Security team investigated and confirmed that the third-party email service was the attack vector. They sent an email to those affected warning of the phishing attempt. This occurred approximately one hour after the phishing email was sent.

Additionally, the Security team engaged the phishing site’s domain registrar, its hosting service, Google’s Safe Browsing team, and other anti-phishing and takedown services, resulting in the site being marked as a deceptive site in Chrome approximately 2 hours after the attack and then made fully unavailable within approximately 3 hours of the attack.

What is the Celo Foundation doing to help affected users?

The Security team is working with individuals whose crypto accounts may be at risk to help the individuals secure their funds.

The Foundation has engaged blockchain analysis services to gather as much information as possible, and will provide updates directly to those impacted, where possible.

I entered my recovery phrase in the phishing website. Are my funds safe?

If you entered a recovery phrase for a crypto wallet on any network, Celo or otherwise, in the phishing website, please transfer any funds in that wallet to a new wallet as soon as possible.

The Valora Support team is available to provide assistance. Please tap Contact (Menu > Help > Contact) in the Valora app or contact [email protected].

I clicked into the phishing website, but didn’t enter my recovery phrase. Am I safe?

We do not believe the website carried malware. The Security team advises that you may best safeguard yourself from malware by ensuring your operating system, browser and antivirus software is up to date. Never open an attachment, click on links, or reply to messages unless you are 100 percent certain that the source is safe.

How was the attacker able to send emails from the Celo Foundation?

The attacker gained access to the mailing list service third-party provider, which is an approved sender of mail from the celo.org domain.

Did the attacker get access to Celo Foundation accounts?

No. All accounts were secured with multi-factor authentication, and none appear to have been compromised. Instead, it appears the attacker used social engineering on the mailing list vendor to create a new account with access to Celo Foundation data.

Is the Celo network secure?

Yes. The Celo network remains secure and unaffected by this.

What can I do to be safe going forward?

Unfortunately, phishing attempts are increasingly common. Please continue to be vigilant. You should be suspicious of any unsolicited emails or communications regarding account access information.

The Celo Foundation does not have access to your account or recovery phrase, and cannot disable your account, as claimed in the phishing email. You should never give your recovery phrase (also called a seed phrase, mnemonic, or 24-word phrase) to anyone.

You should also regularly update operating system and browser software when made available, to protect against malware attacks. Always check the website address is one you expect and trust, and the padlock next to it indicates the connection is valid and secure.

What should I do if I believe I’ve received another Celo-related phishing email?

Do not click on any links. Forward the email to [email protected] immediately, and then delete the suspicious email.

What’s next?

The Celo Foundation is offering its full assistance to the third-party mailing list vendor as they conduct an investigation into the attack on their service, and will share updates and information as it becomes available. If we learn that the attacker downloaded the list of contacts, we will follow-up with any individuals who have been impacted.