Dry goods | phishing website "invades" Web3, these anti fraud skills must be learned!

Published on 1 Months ago   168 views   0 Comments  

In the Wikipedia definition,PhishingIt is a criminal fraud process that attempts to obtain personal sensitive information such as user name, password and credit card details from electronic communication through disguised as reputable corporate media.

These communications claim to come from popular social networking sites (youtube, Facebook, MySpace), auction sites (eBay), online banking, electronic payment sites (PayPal), or network managers (Yahoo, Internet service providers, corporate authorities), in order to deceive the victim's credulity.

Net fishing is usually carried out through e-mail or instant messaging. It often leads users to enter personal data into fake websites with URLs and interfaces that look almost the same as real websites. Even if strong encryption SSL server authentication is used, it is still difficult to detect whether the website is counterfeit. Net fishing is an example of using social engineering technology to fool users. It relies on the low affinity of the current network security technology.

In the Web3 world, phishing is mainly realized through a series of means such as twitter, discord and website forgery. It is usually accompanied by social engineering attacks such as pretense, online chat, baiting, equivalent exchange and compassion (see Wikipedia: social engineering for details).

This article will reveal several common fishing methods in the Web3 world. Let's take a look.

The official discord was stolen and released phishing information

On May 23, 2022, mee6 official discord was attacked, resulting in account theft. Mint's phishing website information was published in the official discord group.

On May 6, 2022, the official discord of opensea in the NFT trading market was attacked. Hackers used their robot account to publish false links in the channel and claimed that "opensea has reached a cooperation with youtube, and clicking the link can participate in casting a limited number of 100 Mint pass NFTs".

Recently, there are more and more attacks on official discord. According to the analysis of Chengdu chain security team, the reasons may be:

• The employees of the project party were attacked by phishing, resulting in account theft;
• The project party downloads malicious software, resulting in account theft;
• The project party did not set up two factor authentication and used weak password, resulting in account theft;
• The project party was attacked by phishing and added malicious bookmarks to bypass the browser homology policy, resulting in the theft of the project party's discord token.

Fraud prevention skills

1. As the project party, we should adopt the official recommended security operations such as using two factor authentication and setting strong password to protect the account; The project party should be alert to various traditional network attacks and social engineering attacks against itself, avoid downloading malware and visiting phishing websites.
2. As a Web3 user, we should first have this awareness: the official discord account is stolen more and more frequently, and the official news may also be phishing information. The official is not absolutely safe. In addition, we should be cautious in any place where we need our own authorization or transaction, and try to cross confirm information from multiple channels.

Jay Chou suffered a million dollar phishing attack

On April 1, 2022, Jay Chou posted on instagram that his bayc#3738 NFT had been stolen.

It is understood that NFT will present it in January this year.After checking by the Chengdu chain security team, it was found that Jay Chou's wallet address beginning with 0x71de2 went to the mint new project first and then encountered a phishing link. Then he signed the approve transaction around 11 o'clock and granted the authority of NFT to the attacker's wallet beginning with 0xe34f0. Maybe Jay didn't realize that his NFT was at risk at this time.

In the past few minutes, the attacker transferred the boring ape bayc #3738 NFT to his wallet address at 11:07, and then sold the stolen NFT on looksrare and opensea to obtain about 169.6 eth.

Fraud prevention skills

1. As a user, you must not trust private chat. Attackers will generally entice you to click the link of phishing website through private letter or email. All information shall be subject to the official website first, assisted by cross verification, and verified by multiple channels with multiple guarantees.
2. After the new project of mint, Mr. Zhou guessed that the swindler was in a good mood after taking advantage of the new project of mint. After his vigilance was relaxed, he quickly pushed phishing links to attack. Therefore, the user must not relax in anti fraud to ensure that every step is safe.

Phishing website with Google Advertising loopholes at the top

On May 10, 2022, serpent, founder of discord and sentinel, the encryption threat mitigation system, tweeted that the first search result of NFT trading platform x2y2 on the Google search page was a fraud website. It took advantage of the loophole of Google Advertising to make the real website and the fraud URL look exactly the same, and about 100 eth had been stolen.

Fraud prevention skills

1. Although search engines are convenient, they are not necessarily true. The advertising system of search engine is easy to be used by malicious websites. Users try to enter through the official website portal authenticated by official twitter or Google. Try to cross confirm when confirming official information.
2. Usually form the good habit of paying attention to details. The results found by search engines will have the word ad if it is an advertisement, so as to avoid being caught in the pit.

Fake robot disguised as private chat of the project party and sent to phishing website

Recently, when I was paying attention to a new project, I joined the official discord community from the official website of the project. After adding the group, I first carried out the official robot identity verification according to international practice. However, this verification message was sent by a private letter from the robot. At this time, I had some questions in my heart, but I didn't think much after seeing the prompt label of "robot".

But when I opened the link again, I found that it automatically aroused my metamask wallet and asked for a password. At this time, it was basically determined that there was a problem with the website. After debugging and analysis, it is found that the website is not the real metamask pop-up, but the fake metamask wallet interface of the fake website. If you enter the password, you will ask for mnemonic verification. Finally, the password and mnemonic will be sent to the attacker's background server. Since then, your wallet has been stolen.

Fraud prevention skills

1. For discord private messages, we must be vigilant: Official robots will not require verification of private messages. We must first confirm that it is the news of official robots. The best way is to turn off private messages.
2. During the authentication process, the wallet will not be required to be connected. 3. Believe in intuition. If you feel strange or abnormal operations, you must be careful and conduct more cross verification of information.

High imitation domain name and content phishing website

At present, the author has found a variety of fake websites in the market, most of which imitate the domain name and content of the official websites to a very high degree. This method should be the most common in phishing. Its inductive analysis mainly includes the following forms:
(1) Change the top-level domain name and keep the main name unchanged. For example, the top-level domain name of the official website in the figure below is COM, the top-level domain name of phishing website is fun。

(2) Add words or symbols to the subject name for confusion, such as opensea office, cyber kongz, etc.

(3) Add secondary domain names for confusion and phishing.

Fraud prevention skills

1. When entering the website, find the official twitter or discord and compare the links to see if they are correct.
2. Always be vigilant: Although this kind of phishing website is the easiest to identify, it is extremely large, and users are easily deceived if they don't pay attention.
3. Installing anti phishing plug-ins can effectively assist in identifying some phishing websites. But the most important thing is that users should be cautious.

The fishing project of opensea was launched

While traveling in opensea some time ago, the author found a project that has not been sold on the official website, but it was listed on opensea for 10K, close to 5.4kowner. For a time, I was vigilant. After careful analysis, I found a new fishing routine. This project first made a high imitation official website and similar domain names using method 5, and then launched projects with similar names on opensea, adding words such as free mint to attract attention.

In addition, some phishing websites will also cooperate with phishing twitter to commit fraud:

Fraud prevention skills

1. Pay attention to identifying twitter accounts. Fishing Tuba usually has a large number of fans, but most of the comments are zombie scores, or they are created early, but they are only active recently.
2. Opensea online projects are not necessarily genuine projects on the official website. At present, there are still many imitation disk and fishing projects on it, which need to be carefully screened by users.
3. Obtain information from multiple channels to ensure the cross verification of multiple information such as the official website, opensea project, twitter and discord. You can also contact the official directly to verify the authenticity.

True and false contract address

In March this year, a new scam appeared, which also opened people's eyes. The contract address of apecoin project is 0x4d2244452801aced8b2f0aebe155379bb5d594381

The attacker forged the same fake contract between the front and back, and carried out fishing fraud together with fishing publicity. The fake contract is 0x4d221b9c0ee56604186a333f4f2433a961c94381

This kind of attack is rare, but it is very confusing. Many security conscious people will subconsciously check whether the front and back digits of the contract address are normal, but almost no one will write them down.

Fraud prevention skills

1. For direct transfer transactions to the contract address, it is best to check the correctness of the contract address in full.
2. Confirm that the address is normally obtained from official channels to avoid being intercepted and modified by attackers in the middle.

Remedial measures

The above only lists the common means in the fishing fraud industry, and now, with the continuous popularity of Web3, the ways of fishing fraud emerge one after another. Users should try their best not to be cheated by the above phishing skills. However, in case of fraud, the following measures can be taken to remedy as much as possible:
-Immediately isolate the assets and transfer the remaining assets to a safe location as soon as possible to avoid greater losses;

-Take the initiative to issue a statement to inform everyone of the relevant information of the stolen account, so as to avoid endangering friends and the community;

-Retain evidence as much as possible and seek follow-up treatment from the project party or institution;

-You can seek professional security companies for fund tracking, such as Chengdu Lianan.

Finally, it is suggested to record and share the experience of being cheated and encourage everyone. Anti fishing and anti fraud require everyone's attention and participation.