Blockchain security firm SlowMist has highlighted five common phishing techniques crypto scammers used on victims in 2022, including malicious browser bookmarks, phony sales orders and Trojan malware spread on the messaging app Discord. The security firm recorded a total of 303 blockchain security incidents over the year, with 31.6% of these incidents caused by phishing, rug pull or other scams, according to SlowMist’s 09 January 2022 report.
The entire report can be viewed at: https://slowmist.medium.com/slowmist-2022-blockchain-security-and-aml-analysis-annual-report-35928525abbf
Malicious browser bookmarks - One of the phishing strategies makes use of bookmark managers, a feature in most modern browsers. SlowMist said scammers have been exploiting these to ultimately gain access to a project owner’s Discord account. "By inserting JavaScript code into bookmarks through these phishing pages, attackers can potentially gain access to a Discord user’s information and take over the permissions of a project owner’s account,” the firm wrote.[1]
After guiding victims to add the malicious bookmark through a phishing page, the scammer waits until the victim clicks on the bookmark while logged into Discord, which triggers the implanted JavaScript code and sends the victim’s personal information to the scammer’s Discord channel. During this process, the scammer can steal a victim’s Discord Token (their encrypted Discord username and password) and thus gain access to their account, allowing them to post fake messages and links to more phishing scams while posing as the victim.
‘Zero dollar purchase’ NFT phishing - Out of 56 major NFT security breaches, 22 of those were the result of phishing attacks, according to SlowMist. One of the more popular methods used by scammers tricks victims into signing over NFTs for practically nothing through a phony sales order. Once the victim signs the order, the scammer can then purchase the user’s NFTs through a marketplace at a price determined by them. “Unfortunately, it’s not possible to deauthorize a stolen signature through sites like Revoke,” SlowMist wrote. “However, you can deauthorize any previous pending orders that you had set up, which can help mitigate the risk of phishing attacks and prevent the attacker from using your signature.”
Trojan horse currency theft - According to SlowMist, this type of attack usually occurs through private messages on Discord where the attacker invites victims to participate in testing a new project, then sends a program in the form of a compressed file that contains an executable file of about 800 MB. After downloading the program, it will scan for files containing key phrases like “wallet” and upload them to the attacker’s server. “The latest version of RedLine Stealer also has the ability to steal cryptocurrency, scanning for installed digital currency wallet information on the local computer and uploading it to a remote control machine,” said SlowMist. “In addition to stealing cryptocurrency, RedLine Stealer can also upload and download files, execute commands, and send back periodic information about the infected computer.”
‘Blank Check’ eth_sign phishing - This phishing attack allows scammers to use your private key to sign any transaction they choose. After connecting your wallet to a scam site, a signature application box may pop up with a red warning from MetaMask. After signing, attackers gain access to your signature, allowing them to can construct any data and ask you to sign it through eth_sign. “This type of phishing can be very confusing, especially when it comes to authorization,” the firm said.
Same ending number transfer scam - For this scam, attackers airdrop small amounts of tokens such as .01 USDT or 0.001 USDT to victims with a similar address except for the last few digits. The goal is to trick users into accidentally copying the wrong address in their transfer history.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.oodaloop.com/technology/2023/01/16/5-sneaky-tricks-crypto-phishing-scammers-used-last-year-slowmist/
Comments