Wallet Security Newsletter # 4: QR code scams
Welcome to the fourth version of the security newsletter in which we dissect scams found by our security team. We hope to bring you some insight and more protection against common scams.
In August, our security team marked 6 tokens, 55 DApps and 295 addresses as risky.
Read our earlier newsletters below:
In this one, we’ll explain how phishing websites and ‘approve’ scams work so that you can recognize and avoid these scams.
When visiting websites, you may not pay much attention to the address bar of the browser. But if you look a little closer, you will see a security icon such as 🔒 or 🛡️ in front of the address bar.
This icon matters a lot to the security of your assets, and if you don’t see 🔒 or 🛡️ when visiting a wallet website, then you’re probably visiting a phishing website that attempts to trick you into installing a fake wallet.
Take MetaMask for example. MetaMask is a popular wallet that customers use when they interact with DApps on their computers. If a newbie wants to add MetaMask to his browser, the first step he will do is probably Google MetaMask and install it.
However, the search results may lead you to a phishing website such as the one below. If the newbie doesn’t realize the warning icon ⚠️ in the address bar, then he may download a fake App and generate a mnemonic phrase that has already been compromised.
So search engines like Google are not reliable. We explained the reason in #1 Fake websites and wallets that scammers paid ads on Google to promote their fake websites.
So how to identify whether the website you are visiting is real or not? The most reliable way is to bookmark the websites of commonly used wallets.
What’s more, you should make sure there is a security icon 🔒 or 🛡️ to the left of the url when visiting.
The icon 🔒 or 🛡️ suggests reliability, and if you click the address bar twice, you can see https:// in the url indicating this website is secured.
What is HTTPS?
In 1991, Tim Berners-Lee, father of the World Wide Web, proposed the Hypertext Transfer Protocol(HTTP) which defines the format of communication between a client and a server.
When we enter a URL in a browser, it retrieves information from the server based on that URL and returns it to the client. However, this information can be intercepted and tampered with by hackers on the way from the server to the client.
In order to enhance security, HTTPS was born, and S stands for Secure, which ensures that information can be securely transferred from the server to our computer.
So when visiting websites, you need to pay attention to whether it has https in its url.
QR code approval scam
Making payment via QR codes is extremely common these days because it is much quicker compared to other modes of payment. However, convenience can also bring some problems. By scanning a QR code your assets may be stolen.
How can this happen? You kept your mnemonic phrase in a secure place, but you still lost your assets.
This is how the scam usually happens: You scan a QR code, which opens a scam website mimicking the transfer page of your wallet app. The site takes you through an imitation of the familiar transfer interface. Instead of the transaction confirmation, a window for approving unlimited token balance shows.
The token approval allows the scammer to manage the full balance of the specified token in your wallet. This way they can move your funds to their own wallets without knowing your mnemonic or password.
In any case — such as scanning a payment QR code — there a few steps that help you to stay safe:
- Check whether the QR opens a legit transfer
- Check whether you are giving unlimited token allowance
- You can also ask for the text version of the recipient’s address. It’s a little inconvenient, but it’s much safer.
Stay tuned, stay alert. Read more on how to stay secure:
imToken on Security: Beginner guide to security in crypto
Today we give you a few simple steps to reduce most of your security risks of being in crypto.
If you recognize any risky DApps or tokens, please report to us via email@example.com to help more users avoid being deceived.