What is a Phishing Attack?
Phishing is a cybersecurity attack aimed at giving people a proportion of valuable information about them or their activities. Phishing primarily targets humans and the vulnerability of their relationships with humans. Typically, phishing is accomplished via email or instant messaging. Some websites provide users with false information, which are even almost identical to real websites, for obtaining personal information. Even with a password and authentication from an SSL server, it can be hard to tell if a website is real or fake. Phishing is an example of using social technology to attract users. It builds on a lack of trust in current cybersecurity technologies. In the web3 world, phishing is mainly through a series of tactics, such as discord and website forgery.
Phishing case of web3
Discord bot
On May 23, 2022, Discord’s MEE6 bot was attacked, resulting in the posting of phishing information about minting in some of Discord’s official servers.
On May 6, 2022, Opensea’s official Discord was hacked, using a bot account to post a fake link on the channel claiming that “Opensea has partnered with YouTube to create a limited edition 100 NFT Mint Pass”.
Therefore, project participants should therefore use officially recommended security measures to protect their accounts, such as double authentication and strong passwords, and should be wary of traditional cyber-attacks and social engineering attacks to avoid downloading malware or visiting fraudulent sites. Users of Web 3 should be aware that Discord’s officially published sites may contain fraudulent sites and that no official guarantees of absolute security can be made. In addition, when our own permission or transactions are required, it is even more important to be cautious and cross-check information from multiple sources.
Phishing Web URL tricks
Phishing websites are mainly divided into three categories. The first category is to replace only the top-level domain name of the original official website. The second category is to add words or symbols to the main domain name to confuse them. The third category is to add second-level domain names to obfuscate phishing websites. The phishing techniques involved are mainly divided into three types. The first is a phishing website that fakes the official website of the NFT project to trick users into making transfers directly. The second is a phishing website that uses fake airdrops to trick users into authorizing them. The third is to trick users into entering their wallets. Phishing sites for mnemonics.
For these, people should know, first find the official Twitter or discord and compare the links one by one to see if they are correct when you go to a website. Always be on your guard: while these phishing sites are the easiest to identify, they are so numerous that users can easily be fooled if they aren’t careful. Add anti-phishing plug-in, effectively help identify some malicious sites.
Phishing sites on Google Ads
On May 10, 2022, @Serpent reported that the first result of the Google search page on the X2Y2 NFT Exchange exploited a vulnerability in Google’s advertising to make a malicious web look the same as a real web page. It was a page and tweeted that about 100% was stolen.
While the above points are useful to search engines, they are not always correct and search engine advertising systems can be easily abused by malicious sites. Stay away from official Twitter and Google. Also, pay attention to the details. Search engine search results show the word ad for ads. Don’t click on the link that says “AD”.
A false contract address
The new scam that emerged in March was also eye-opening. The attacker forged a contract with the same number of digits before and after and used phishing links to commit fraud.
This type of attack is unusual but confusing. Usually, people check the front and back of the contract address to see if it is normal, but very few people check the full address. For direct transfer transactions, it is best to check that the full contract address is correct. And be sure to get the address from the official channel to avoid being modified by an intermediate attacker.
Solutions
Phishing attacks are very popular and successful in cybersecurity. We have to take some measures to prevent phishing attacks and their damages.
At present, most websites do not support the blind signing method in order to protect the user’s safety. However, if users still encounter blind signing when visiting some websites, please try to refuse to sign.
The domain name and content of phishing websites are usually very similar to the official website of the original project. Users should pay special attention to identifying the official website when visiting.
When invoking NFT contracts, users should also pay attention to the need to cross-verify the address of the project contract to avoid being deceived by the phishing contract.
If a user receives a link to a phishing website to receive an airdrop, they first need to confirm the source of the information. Generally, they can confirm whether there is an airdrop message released on social accounts such as official twitter. If not, please do not randomly click on airdrop links posted on other channels.
About DeHacker
DeHacker is a team of auditors and white hat hackers who perform security audits and assessments. With decades of experience in security and distributed systems, our experts focus on the ins and outs of system security. Our services follow clear and prudent industry standards. Whether it’s reviewing the smallest modifications or a new platform, we’ll provide an in-depth security survey at every stage of your company’s project. We provide comprehensive vulnerability reports and identify structural inefficiencies in smart contract code, combining high-end security research with a real-world attacker mindset to reduce risk and harden code.
