In the Wikipedia definition,PhishingIt is a criminal fraud process that attempts to obtain personal sensitive information such as user name, password and credit card details from electronic communication through disguised as reputable corporate media.
These communications claim to come from popular social networking sites (youtube, Facebook, MySpace), auction sites (eBay), online banking, electronic payment sites (PayPal), or network managers (Yahoo, Internet service providers, corporate authorities), in order to deceive the victim's credulity.
Net fishing is usually carried out through e-mail or instant messaging. It often leads users to enter personal data into fake websites with URLs and interfaces that look almost the same as real websites. Even if strong encryption SSL server authentication is used, it is still difficult to detect whether the website is counterfeit. Net fishing is an example of using social engineering technology to fool users. It relies on the low affinity of the current network security technology.
In the Web3 world, phishing is mainly realized through a series of means such as twitter, discord and website forgery. It is usually accompanied by social engineering attacks such as pretense, online chat, baiting, equivalent exchange and compassion (see Wikipedia: social engineering for details).
This article will reveal several common fishing methods in the Web3 world. Let's take a look.
On May 23, 2022, mee6 official discord was attacked, resulting in account theft. Mint's phishing website information was published in the official discord group.
On May 6, 2022, the official discord of opensea in the NFT trading market was attacked. Hackers used their robot account to publish false links in the channel and claimed that "opensea has reached a cooperation with youtube, and clicking the link can participate in casting a limited number of 100 Mint pass NFTs".
Recently, there are more and more attacks on official discord. According to the analysis of Chengdu chain security team, the reasons may be:
On April 1, 2022, Jay Chou posted on instagram that his bayc#3738 NFT had been stolen.
It is understood that NFT will present it in January this year.After checking by the Chengdu chain security team, it was found that Jay Chou's wallet address beginning with 0x71de2 went to the mint new project first and then encountered a phishing link. Then he signed the approve transaction around 11 o'clock and granted the authority of NFT to the attacker's wallet beginning with 0xe34f0. Maybe Jay didn't realize that his NFT was at risk at this time.
In the past few minutes, the attacker transferred the boring ape bayc #3738 NFT to his wallet address at 11:07, and then sold the stolen NFT on looksrare and opensea to obtain about 169.6 eth.
On May 10, 2022, serpent, founder of discord and sentinel, the encryption threat mitigation system, tweeted that the first search result of NFT trading platform x2y2 on the Google search page was a fraud website. It took advantage of the loophole of Google Advertising to make the real website and the fraud URL look exactly the same, and about 100 eth had been stolen.
Recently, when I was paying attention to a new project, I joined the official discord community from the official website of the project. After adding the group, I first carried out the official robot identity verification according to international practice. However, this verification message was sent by a private letter from the robot. At this time, I had some questions in my heart, but I didn't think much after seeing the prompt label of "robot".
But when I opened the link again, I found that it automatically aroused my metamask wallet and asked for a password. At this time, it was basically determined that there was a problem with the website. After debugging and analysis, it is found that the website is not the real metamask pop-up, but the fake metamask wallet interface of the fake website. If you enter the password, you will ask for mnemonic verification. Finally, the password and mnemonic will be sent to the attacker's background server. Since then, your wallet has been stolen.
At present, the author has found a variety of fake websites in the market, most of which imitate the domain name and content of the official websites to a very high degree. This method should be the most common in phishing. Its inductive analysis mainly includes the following forms:
(1) Change the top-level domain name and keep the main name unchanged. For example, the top-level domain name of the official website in the figure below is COM, the top-level domain name of phishing website is fun。
(2) Add words or symbols to the subject name for confusion, such as opensea office, cyber kongz, etc.
(3) Add secondary domain names for confusion and phishing.
While traveling in opensea some time ago, the author found a project that has not been sold on the official website, but it was listed on opensea for 10K, close to 5.4kowner. For a time, I was vigilant. After careful analysis, I found a new fishing routine. This project first made a high imitation official website and similar domain names using method 5, and then launched projects with similar names on opensea, adding words such as free mint to attract attention.
In addition, some phishing websites will also cooperate with phishing twitter to commit fraud:
In March this year, a new scam appeared, which also opened people's eyes. The contract address of apecoin project is 0x4d2244452801aced8b2f0aebe155379bb5d594381
The attacker forged the same fake contract between the front and back, and carried out fishing fraud together with fishing publicity. The fake contract is 0x4d221b9c0ee56604186a333f4f2433a961c94381
This kind of attack is rare, but it is very confusing. Many security conscious people will subconsciously check whether the front and back digits of the contract address are normal, but almost no one will write them down.
The above only lists the common means in the fishing fraud industry, and now, with the continuous popularity of Web3, the ways of fishing fraud emerge one after another. Users should try their best not to be cheated by the above phishing skills. However, in case of fraud, the following measures can be taken to remedy as much as possible:
-Immediately isolate the assets and transfer the remaining assets to a safe location as soon as possible to avoid greater losses;
-Take the initiative to issue a statement to inform everyone of the relevant information of the stolen account, so as to avoid endangering friends and the community;
-Retain evidence as much as possible and seek follow-up treatment from the project party or institution;
-You can seek professional security companies for fund tracking, such as Chengdu Lianan.
Finally, it is suggested to record and share the experience of being cheated and encourage everyone. Anti fishing and anti fraud require everyone's attention and participation.