SlowMist: Web3 Phishing Technique Analysis

Original Article Title: "SlowMist: Web3 Phishing Tactics Analysis"
Original Source: SlowMist Security Team

Lately, SlowMist was invited to participate in the Ethereum Web3 Security BootCamp organized by DeFiHackLabs. As a speaker, SlowMist's Head of Security Audit, Thinking, delved into the malicious ways and covert methods of phishing hackers across eight chapters titled "Fake, Bait, Lure, Attack, Conceal, Skill, Distinguish, Defend," combining practical examples to lead students to a deep understanding of phishing attacks and proposing relevant preventive measures. Phishing is one of the heavily targeted areas in the industry. Understanding the enemy is necessary to defend effectively. This article will extract key content from the sharing session to help users understand the current state of phishing attacks and effectively mitigate the threat of phishing attacks.

Why Phishing Happens

In the Web3 world, phishing attacks have become one of the major security threats. Let's first look at why users fall victim to phishing. In fact, even users with high security awareness sometimes feel the saying "if you walk by the river often, you will eventually get your shoes wet" applies to them. After all, maintaining the highest level of vigilance at all times is difficult. Attackers analyze factors such as recent hot projects, community activity, and user base to select highly visible targets, disguise them carefully, and then lure users using airdrops, high returns, and other baits. These attack methods are usually accompanied by social engineering. Attackers are adept at exploiting user psychology to achieve their fraudulent goals:

·  Enticement: Airdrop whitelist qualification, mining rewards, private key of wealth, etc.

·  Curiosity / Greed: Fearless exit strategy for a rug pull, can't miss the potential 100x coin, don't miss out at 10 PM tonight, meeting link https://us04-zoom[.]us/ (malicious); $PENGU airdrop whitelist must not be missed, https://vote-pengu[.]com/ (malicious).

·  Fear: Urgent alert: XX project has been hacked, please use revake[.]cash (malicious) to revoke authorization and prevent fund loss.

·  Efficient Tools: Airdrop farming tools, AI quantitative tools, one-click mining fleeceware, etc.

Attackers invest time in creating and deploying baits simply because it is profitable. Through the above means, attackers can easily obtain users' sensitive information/permissions, thereby stealing user assets:

·  MNEMONIC / Private Key Theft: Deceiving users into inputting their mnemonic phrase or private key.

·  Deceiving User to Sign with Wallet: Authorization signature, transaction signature, etc.

·  Account Password Theft: Telegram, Gmail, X, Discord, etc.

·  Social App Permission Theft: X, Discord, etc.

·  Inducing Installation of Malicious Programs: Fake wallet apps, fake social apps, fake conference apps, etc.

Phishing Techniques

Next, let's take a look at some common phishing techniques:

Account Theft / Impersonation

Recently, there has been a surge in incidents where Web3 projects' / KOLs' X accounts were hacked. After hijacking the account, attackers often promote fake tokens or construct similar domain names in the "good news" they release to deceive users into clicking. Of course, there are cases where the domain is legitimate because the attacker may have taken over the project's domain. Once the victim clicks on the phishing link, performs a signature, or downloads malicious software, their assets will be stolen.

In addition to stealing accounts, attackers on X often use impersonated accounts to comment in the comments section of legitimate accounts to deceive users. The SlowMist Security Team has conducted targeted analysis and statistics: about 80% of well-known projects have the comments section of their tweets occupied by scam phishing accounts. Attackers use automated bots to follow the activities of well-known projects. After a project releases a tweet, the phishing group's bots will automatically leave a comment in the comments section to ensure they occupy the first comment position for high visibility. Since the post the user is viewing is sent by a real project and the disguised phishing group account and the project account are highly similar, as long as the user is not vigilant enough and clicks on the high-imposter account's phishing link under the guise of an airdrop or similar pretext, and then authorizes or signs, they will lose their assets.

Attackers will also impersonate administrators to post fake news, especially on platforms like Discord where this phenomenon is more common. Discord supports user-customized nicknames and usernames, so attackers will change their profile picture and nickname to match those of an administrator, then post phishing information in the channel or private message users. If users do not click on the account profile to view the username, it is difficult to detect the issue. Furthermore, although Discord usernames cannot be duplicated, attackers can use names that are highly similar to the administrator's username, such as adding an underscore or a period in the username, making it difficult for users to distinguish between real and fake accounts.

Invite Phishing

Attackers often establish contact with victims on social platforms, recommend "high-quality" projects or invite users to meetings, guide victims to visit malicious phishing sites, or download malicious applications. In the past, users have been hacked after downloading a fake Zoom app. Attackers use domains like "app[.]us4zoom[.]us" to disguise themselves as legitimate Zoom meeting links, with the page closely resembling the actual Zoom interface. When users click the "Start Meeting" button, they trigger the download of a malicious installation package instead of launching the local Zoom client or downloading Zoom's official client. As the malicious program prompts users to enter their passwords at runtime, and subsequent malicious scripts collect browser plugin wallet data and KeyChain data (potentially including various passwords saved on the computer), attackers collect this data to attempt decryption and obtain sensitive information such as the user's wallet mnemonic phrase/private key, leading to asset theft.

Search Engine Ranking Manipulation

Search engine ranking results can be boosted through ad promotion, leading to phishing sites potentially ranking higher than the genuine official websites. In cases where users are unaware of the official website's URL, it's challenging to differentiate a phishing site solely based on the site's appearance. Phishing sites can customize the URL displayed in Google Ads promotions, where the URL shown in the Sponsored section may be identical to the official URL, but when users click the ad's URL, they are redirected to the attacker's constructed phishing site. Because phishing sites created by attackers closely resemble genuine official sites, it's challenging to distinguish between them, making it inadvisable for users to directly search for official websites using search engines as they are likely to land on a phishing site.

TG Advertisement Scam

Recently, there has been a significant increase in users falling victim to fake TG Bots. Multiple users reported encountering a new bot at the top of the channel while using a trading bot, assuming it was an official new release and proceeding to import private keys to link wallets, only to be hacked. Attackers utilize Telegram to precisely target advertisements in official channels, enticing users to click. This form of phishing is highly covert because the ad appears in an official channel, leading users to instinctively believe it is an official robot release. Lacking vigilance, if users click the phishing bot and upload private keys to link, they risk being hacked.

In addition, we recently disclosed a new type of scam, the Telegram Fake Safeguard scam, where many users were stolen from because they ran malicious code following the attacker's tutorial.

App Store

Not all software on the app stores (Google Play, Chrome Store, App Store, APKCombo, etc.) are genuine. Often, the stores cannot fully review the software. Some attackers lure users into downloading fraudulent apps through methods like buying keyword rankings. Dear readers, please pay attention to verification. Before downloading, make sure to check the app developer information to ensure it matches the officially announced developer identity. You can also refer to app ratings, download counts, and other information.

Phishing Email

Email phishing is the most classic trick, known for being "simple and unadorned." Attackers use phishing templates and combine them with Evilngins reverse proxy to create emails like the one in the image below: when users click on "VIEW THE DOCUMENT," they will be redirected to a fake DocuSign interface (now unable to open). Subsequently, if a user clicks on Google Login on that interface, they will be redirected to a reverse-proxied Google login window. Once the user enters their account, password, and 2FA on that window, the account will be taken over by the attacker.

The phishing email in the image above is obviously not well-crafted because the sender's email address is not disguised. Let's see how the attacker in the image below disguises their identity: the attacker's email address differs from the official address by just a small dot. Attackers can use DNSTwist to find special characters supported by Gmail to make their email address look legitimate. If you don't look closely, you might think it's just a dirty computer screen.

Browser Feature Exploitation

See SlowMist's article: Revealing how malicious browser bookmarks can steal your Discord Token.

Defense Challenge

The tactics used by attackers are constantly evolving, generally moving towards a more sophisticated and standardized direction. In our previous analysis, we found that attackers are not only able to create web pages highly similar to those of well-known projects and take over the project's domain, but there are also cases where an entire project is fictitious. These fake projects not only have many (purchased) fans on social media but also have GitHub repositories, posing a greater challenge for users to identify phishing threats. Additionally, attackers' adept use of anonymous tools has made tracing their tracks more difficult and complex. To conceal their identities, attackers often use VPNs, Tor, or even control compromised hosts to carry out malicious activities.

With an anonymous identity established, attackers, to build a phishing network, also need to purchase basic service infrastructure, such as Namecheap, with support for cryptocurrency payments. Some services only require an email for registration, without the need for KYC verification, allowing attackers to avoid being traced.

Once the aforementioned preparations are in place, attackers can launch phishing attacks. After profiting, the funds are further obfuscated using services like Wasabi, Tornado, etc., to confuse the fund's path. To enhance anonymity, funds may also be converted into highly anonymous cryptocurrencies such as Monero.

To avoid leaving samples and evidence, attackers will cover their tracks by deleting related domain resolutions, malicious programs, GitHub repositories, platform accounts, etc. This often results in security personnel encountering situations where phishing websites cannot be accessed or malicious programs cannot be downloaded, increasing the difficulty of analysis and tracking.

Defense Strategy

Users can identify phishing threats based on the characteristics in the above image and learn basic methods to verify information authenticity. They can also use some defense tools to enhance phishing defense capabilities:

·  Phishing Risk Blocking Plugins: Tools like Scam Sniffer can detect risks from multiple dimensions. When users open suspicious phishing pages, the tool will promptly display a risk warning.

·  Secure Wallets with High Interaction Security: Such as Rabby's Watch-only wallet (no private key required), phishing website identification, see-and-sign, high-risk signature identification, history record Scam identification, etc.

·  Internationally Recognized Antivirus Software: Such as AVG, Bitdefender, Kaspersky, etc.

·  Hardware Wallet: A hardware wallet provides an offline way to store private keys. When interacting with a hardware wallet and DApp, the private key is not exposed online, effectively reducing the risk of asset theft.

Final Thoughts

In the blockchain dark forest, phishing attacks are omnipresent. Cultivation lies in the arising of every thought—being mindful of one's intentions to avoid unconsciously falling into a mental state. When navigating the blockchain dark forest, the most fundamental practice is to cultivate a habit of maintaining zero trust and continuous verification. It is recommended that everyone deeply read and gradually master the "Blockchain Dark Forest Survival Manual."

Due to space constraints, this article only introduces the main contents of the sharing session. The nearly seventy-page PPT is now publicly available.

Original Article Link