AuditOne Blog
Phishing Attack

Imagine spending thousands on a smart contract audit, then either your users or people on your team fall victim to a phishing attack draining your company of millions. All the trust you built with your community was lost while you hurried to figure out how this could have happened.

In 2020 $7.8 billion in crypto assets were lost to hackers. By 2021 that figure doubled to $14 billion in losses. The global market capitalization of cryptocurrencies as of January 2022 was $2.05 trillion, putting it square between tech giants such as Apple, $2.98 trillion, and Alphabet, $2 trillion. Hackers are financially incentivized to pursue these ventures as the rewards are high. Phishing attacks didn’t emerge with crypto. Data shows that 75% of companies globally experience some form of a phishing attack. However, crypto opened up new opportunities for malicious actors to implement this common scam.

People are puzzled about how the blockchain could be compromised. Noncustodial wallets hold funds and are safeguarded by private keys known only to their owners. Phishing attacks remain a significant threat because humans are the weakest link in phishing hacks.

What is phishing

Phishing is a social engineering attack carried out by sending fraudulent communications (email and direct messages) that appear to come from a reliable source. It intends to harvest sensitive user data, including login credentials, credit card information, and Web3 wallet information. This attack persists because people click every link they are presented with online. After all, the thrill of opening it is like a loot box in your favorite game.

Different Types

Phishing has been around since the inception of the internet, and we can’t possibly cover every occurrence of it. Still, we will outline several types that have affected crypto in recent years.

Fake Apps

Fake apps posing as legitimate projects are on the rise. The hackers see the users of a specific project have a need, and they fill it by offering an app that does exactly what these users in the community need. The only purpose of these apps is to drain users’ wallets. The hackers submit a safe-looking app to these platforms and once approved, they change them into phishing apps. It is best to download the app from a link provided by the project’s website. Too many fake apps are currently available for download through Google Play and Apple App Store.

Fake browser extensions

Browser extensions are beneficial as they facilitate connection with the Web3 products we love so much. Metamask, Coinbase, and Trust Wallet are some of today’s most popular Web3 wallets. However, they all got evil twins running amok in the peaceful streets of Web3.

Scammers are exploiting this need for convenience by creating fake chrome extensions. Users should be cautious because anyone can make an extension. A large community supporting the extension and positive reviews can be an effective indicator.

Ice phishing attack

In an ice phishing attack, hackers get their targets to give away the approval of their tokens through a deceptive smart contract. Victims believe they are interacting with a legitimate website or exchange and signing transactions. However, it would be a malicious smart contract that would redirect their tokens from their cryptocurrency wallets to the attacker’s wallet. AuditOne.io can audit smart contracts to ensure their security.

Hackers accessed Badger DAO’s front-end website using an unauthorized API key. The hackers then injected harmful smart contracts into the website and regularly targeted Badger users. When users sign transactions, the attackers get account transaction approval. Scammers can then remove funds at any time. Once they had obtained a sizable number of user permissions, these hackers looted the users’ accounts.

DNS spoofing

In this assault, hackers seize control of a legitimate website and swap out its front end for malicious ones. When users search for websites they are familiar with, they are routed to a malicious webpage despite using the correct URL. Then prompted to enter their credentials into the bogus website, and all is lost.

Fake Websites

Scammers are replicating real websites with minor changes in the original URL to entice unsuspecting people — for example, MoonBirds, a popular NFT collection official website is https://moonbirds.xyz. In contrast, one of many phishing websites is http://moonbirdsraffle.xyz.

Fake Moonbird webpage
Real Moonbird webpage

Once you connect your wallet to their site, it says there is an error and prompts you to enter your private keys. Granting permission and signing transactions on this site opens your wallets to be drained by hackers.

Social Media Accounts

Today’s most prevalent hacks focus on the Web3 community’s primary modes of communication, Twitter and Discord. Scammer fake social media accounts of famous people/projects or family members to gain trust and entice you to click on a malicious link or invest in rug pulls.

In Discord, hackers use compromised bots to send phishing links into the discord server, tricking unsuspecting users into believing it’s a genuine message from the project team. In May 2022, an attack on OpenSea’s discord occurred. A malicious post made users think OpenSea and YouTube were collaborating. The bot enticed members with a limited edition mint pass NFT for the partnership.

The phishing message, as seen on Discord.

Direct messages with phishing links are also sent to users through fake discord bots or scammers.

Phishing Customer Support

If you have spent time on any Discord channel or Twitter and asked for help from the community, you would have received messages from fake support agents. They seem to care more about you than the actual project at the speed they send you a message. The messages seem helpful until they provide you with a link requesting your private keys to expedite their aid. Don’t be fooled; the official support won’t message you directly, and no one needs your private keys.

The phishing Tweet

What you can do

By now, it should be clear that no matter how secure Web3 is, it will not protect us from phishing scams.

  • Your private keys are called private for a reason. Stop sharing them the moment you encounter an error message on a website.
  • Do not agree to everything your wallet prompts you to do without being cautious.
  • Turn off private chat in discord, which prevents unwanted messages.
  • Educate yourself on the various common phishing techniques.
  • Verify the legitimacy of the site and the contract from multiple sources, if possible, before signing transactions.
  • The community is the canaries in coal mines; they should be leveraged in a productive way to highlight these scams as they occur, and the project should take immediate action to avoid losses from them.

Users must be wary of these scams, and projects must stay up to date on the newest schemes and techniques utilized by attackers.

In this article
Author
Daniel Francis
Product Manager
Share this with your community!
xtelegramlinkedin
Recent Blogs

Looking for more of engaging content?

Explore our community