An Expertly Crafted Crypto Phishing Attempt (and How to Detect it)

Most phishing attempts you see are obvious to most people. Usually they advertise some kind of a free money giveaway, and all you have to send them money first.

A common and obvious phishing attempt on Twitter.

How many companies have you seen “say sorry” by giving away 3.7 million dollars to random people on Twitter? It seems silly, but people are falling for this every day.

Today I received an e-mail of a phishing attempt that is done so well, I believe even some internet savvy people could fall for it. This phish is so elaborate, it consists of four parts: an e-mail, and two separate websites, and an Ethereum smart contract.

Part 1: The E-mail

The e-mail itself is an clone of the common CoinDesk newsletter. The story is sounds somewhat plausible given the frequency of airdrops these days. Gmail has not flagged it as a phishing attempt.

Part 2: The CoinDesk Article

Once you click the link in the e-mail, it brings you to a CoinDesk article. Once again, nothing looks that out of the ordinary. The story continues to sound somewhat plausible, and you appear to be on a legitimate news site. Google Chrome does not flag the website as a scam site.

Part 3: MyEtherWallet Claim Form

If you follow the claim links you are taken to a MyEtherWallet contract. For the third time, everything looks completely normal. None of the telltale signs of a scam. It even has a bright red phishing warning at the top of the page. Once again, Google Chrome does not flag the website as a scam site.

Part 4: Ethereum Smart Contract

If you check the activity on the referenced contract address, you see a non-stop stream of constant activity. Nothing looks out of the ordinary. This is exactly how it should look if this was a legit giveaway.

Detecting the Scam

While hard to spot, there are a few signs that this was a scam.

  • Valuable coins are not given away. There are a dizzying amount of giveaways and airdrops these days, but they are always for tiny amounts of worthless coins. It is done for promotional purposes. EOS is one of the most highly valued projects in the space.
  • The EOS ICO is still running. The EOS ICO is unusual in that it lasts for approximately a year, but it is still running. It makes no sense for the founders to do a giveaway while the ICO is still going.
  • The coin giveaway limit doesn’t make sense. The website claims a 10,000 EOS limit, but there is no way to enforce this. Someone with a lot of ETH could simply split it into multiple accounts, then submit multiple claims.
  • The distribution method is unfair and makes little sense. Billions of dollars have been paid for EOS coins. It is completely unfair to give out extra EOS coins to a small subset of users who happened to get the news first. A more fair method would be to burn the coins, which means to destroy them. This takes them out of circulation permanently, increasing the value evenly for everyone who holds EOS.
  • The article doesn’t link back to an official announcement. If there actually was a giveaway of this magnitude, it would be a top headline, and the official announcement would always been linked to as proof.
  • The URL SSL certificate doesn’t match. This one is much less obvious since the phisher took the time to issue SSL certificates for their domains. both CoinDesk websites show “Secure” in the URL bar. The real MyEtherWallet has gone one step further to provide extended validation in the certificate, which results in their name being placed in the URL bar. Most domains do not provide extended validation, so this detail could easily be missed.
  • The URLs is not *exactly* the same. If you look very carefully at the URLs, they are slightly different. The top of the “k” in coindesk is cut off. There are two small accent marks in myetherwallet. These are technically different characters in the unicode standard.
  • The fake URL is revealed in the developer tools. If the developer tools are opened you can see the IDNA encoded URL. (Press F11 in Firefox or Chrome, or open from the menus.) This reveals that the URLs are actually similar looking international domains.
  • The smart contract is not for a giveaway. The contract address that was provided is not for an EOS giveaway. It’s for the EOS crowdsale ICO.

What else can I do to protect myself?

  • Use a hardware wallet, such as a Trezor, Ledger, or Bitbox. These devices store your private keys and keep them safe. Even a compromised website cannot steal your keys while connected to a hardware wallet. Everything that is done can always validated on the device.
  • Use only well known wallet software. Website based wallets are great for convenience, but they are often targets of attack. Using software such as MetaMask, Ethereum Wallet, or Ethereum Mist can make it more difficult to forge requests.
  • Don’t click links. Type the URL yourself. If you type the URL yourself, it can’t be forged.
  • Use a “punycode alert” browser plugin. These plugins will warn you if you visit an internationalized domain that could be attempting to look like a normal domain.
  • Find secondary sources to validate claims. News sites are always in a race to deliver headlines. If it’s something important, multiple websites will have the information.
  • Check the official website. Major projects are often the target of misinformation and scams. If there is a legitimate promotion going on, it will always be listed on the official website.
  • Think carefully, and always be skeptical. There are almost as many crazy promotions running as there are scams. Sometimes it can be hard to tell the difference, but with a little research you can usually find the real answer. If it sounds too good to be true, it probably is.