Phishing websites "invade" Web3. These anti-fraud skills must be learned

According to Wikipedia, phishing is a criminal fraud process that attempts to obtain sensitive personal information such as usernames, passwords, and credit card details from electronic communications by disguising oneself as a reputable legal entity.

These communications claim to come from popular social networking sites (YouTube, Facebook, MySpace), auction sites (eBay), online banks, electronic payment sites (PayPal), or network administrators (Yahoo, Internet service providers, corporate agencies) in order to deceive the victims' gullibility.

Phishing is usually conducted through e-mail or instant messaging. It often directs users to enter personal information on a fake website with a URL and interface that looks and feels exactly like the real website. Even with strong SSL server authentication, it is still difficult to detect whether a website is fake. Phishing is an example of using social engineering techniques to fool users, and it relies on the low affinity of current network security technologies.

In the web3 world, phishing is mainly achieved through a series of means such as Twitter, Discord, and website forgery. It is usually accompanied by social engineering attacks such as pretexting, online chatting, baiting, equivalent exchange, and sympathy (see Wikipedia: Social Engineering for details), making it difficult to guard against.

This article will reveal some of the common phishing methods in the web3 world. Let’s take a look together.

Phishing

The official Discord was stolen and phishing information was released

On May 23, 2022, the official Discord of MEE6 was attacked, resulting in account theft, and the phishing website information of mint was released in the official Discord group.

On May 6, 2022, the official Discord of the NFT trading market Opensea was attacked. Hackers used a robot account to post fake links in the channel and claimed that "OpenSea has reached a cooperation with YouTube. Click on the link to participate in the minting of a limited number of 100 mint pass NFTs."

Recently, there have been more and more cases of official discord being attacked. After analysis by the Chengdu Lian'an Security Team, the reasons may be:

• Project staff suffered phishing attacks, resulting in account theft;

• The project owner downloaded malware, resulting in the account being stolen;

• The project owner did not set up two-factor authentication and used a weak password, which led to the account being stolen;

• The project party suffered a phishing attack, adding malicious bookmarks to bypass the browser's same-origin policy, resulting in the theft of the project party's Discord token.

Anti-fraud tips

Phishing

Jay Chou suffered a phishing attack and NFTs worth millions were stolen

On April Fool's Day, April 1, 2022, Jay Chou posted on Instagram that the BAYC#3738 NFT he held had been stolen.

It is understood that the NFT was given by Huang Licheng in January this year. After checking by the Chengdu Lian'an security team, it was found that Jay Chou's wallet address starting with 0x71de2 first went to mint a new project and then encountered a phishing link. Then he signed an authorization (approve) transaction around 11 o'clock, granting the NFT's authority to the attacker's wallet starting with 0xe34f0. Maybe Jay Chou didn't realize that his NFT was already at risk at this time.

Just a few minutes later, the attacker transferred the Bored Ape BAYC #3738 NFT to his own wallet address at 11:07, and then sold the stolen NFT on LooksRare and OpenSea for approximately 169.6 ETH.

Anti-fraud tips:

Phishing

Google Ads Vulnerability: Phishing Sites at the Top

On May 10, 2022, Serpent, the founder of Discord and the crypto threat mitigation system Sentinel, tweeted that the first search result for the NFT trading platform X2Y2 on the Google search page was a scam website. It exploited a loophole in Google ads to make the real website and the scam URL look exactly the same, and about 100 ETH had been stolen.

Anti-fraud tips

Phishing

Fake robots pretend to be project owners and send phishing websites to private chats

Recently, when I was paying attention to a new project, I joined the official discord group from the project's official website. After joining the group, I first conducted official robot identity verification in accordance with international practice. However, this verification message was sent by the robot in a private message. I had some doubts at this time, but after seeing the "robot" prompt label, I didn't think much about it.

But when I opened the link again, I found that it automatically called up my Metamask wallet and asked me to enter the password. At this time, I was basically sure that there was something wrong with the website. After debugging and analysis, I found that the website was not a real Metamask pop-up, but a fake website that imitated the Metamask wallet interface. If you enter the password, you will be asked to verify the mnemonic phrase. In the end, the password and mnemonic phrase will be sent to the attacker's backend server. From then on, your wallet has been stolen.

Anti-fraud tips

Phishing websites with highly imitated domain names and contents

Phishing

At present, the author has found various fake websites in the market, most of which imitate the official website in terms of domain name, content, etc. This method should be the most common in phishing. In summary, it mainly has the following forms:

(1) Change the top-level domain name, but keep the main name unchanged. For example, in the figure below, the top-level domain name of the official website is .com, and the top-level domain name of the phishing website is .fun.

(2) Adding words or symbols to the main name to confuse the user, such as opensea-office, cyber-kongz, etc.

(3) Adding a second-level domain name to confuse the target and conduct phishing scams.

Anti-fraud tips

Launched the opensea fishing project

Phishing

When I was browsing opensea some time ago, I found a project whose official website had not yet been launched, but was listed on opensea for 10k, close to 5.4kowners. I became alert at once, and after careful analysis, I discovered a new phishing trick. This project first used method 5 to create a high-imitation official website and similar domain names, and then launched a project with a similar name on opensea, and added words such as free mint to attract attention.

In addition, some phishing websites will also work together with phishing Twitter to commit fraud:

Anti-fraud tips

Phishing

True or false contract address

In March this year, a new scam appeared, which was also eye-opening. The contract address of the APEcoin project is:

0x4d224452801ACEd8B2F0aebE155379bb5D594381

The attacker forged a fake contract with the same first and last digits, and combined it with phishing propaganda to carry out phishing fraud. The fake contract is:

0x4D221B9c0EE56604186a33F4f2433A3961C94381

This type of attack is rare, but it is very deceptive. Many security-conscious people will subconsciously check whether the first and last digits of the contract address are normal, but almost no one will write them down completely.

Anti-fraud tips

The above only lists the common methods used in the phishing scam industry. With the continued popularity of web3, phishing scams are emerging in an endless stream. Users should keep in mind the above anti-fraud tips and do their best to ensure that they are not phished. However, if you have been scammed, you can take the following measures to remedy the situation as much as possible: Remedial measures

• Immediately isolate assets and transfer remaining assets to a safe location as quickly as possible to avoid greater losses;

• Proactively release a statement to inform everyone of the stolen account information to avoid endangering friends and the community;

• Keep as much evidence as possible and seek follow-up processing from the project party or organization;

• You can seek professional security companies to track funds, such as Chengdu Lian'an.

Finally, it is recommended to record and share the experience of being deceived, so that everyone can share it. Fighting against phishing and fraud requires everyone to pay attention and participate.