With the successive development of various applications in the web3 field, security issues have also become prominent. Recently, phishing fraud attacks have occurred frequently, and various phishing attack methods have emerged in an endless stream. At this time, how to understand phishing attacks more clearly; how to avoid being phished is particularly important.
This series of articles starts from web3 security and continues to follow up web3 security trends.
email phishing
Attackers use various hotspots such as NFT sale, wallet upgrade, NFT pre-sale, airdrop collection, contract upgrade, project replacement website, special price NFT, lottery, etc., to send phishing emails, which contain carefully imitated official websites and pre-sale platforms, App download links, etc., users will be tricked if they don’t pay attention.
Email phishing case
1. Hackers learned that Opensea needs users to migrate their sales orders, and knew that Opensea officially sent an email with the migration date and operation steps in advance.
2. The hacker made a phishing website in advance and deployed the contract.
3. Notify the user to perform the migration operation through a forged email, and guide the victimized user to perform the migration operation of the sales order on the phishing website. This migration operation is to allow users to sign their selling orders, but the price of the signed selling orders is 0.
4. The hacker gets the sales order information signed by the user, and can complete the transaction at a price of 0 by calling the OpenSea transaction contract, and successfully obtains the victim's NFT.
how to avoid
- The sender of the email can be forged, and the sender of the email cannot be used to judge whether it is an official email
- After clicking the address in the right button, judge whether the address displayed by the browser is the website you want to visit
- The official will not ask you to provide any personal information in the email, if so, please judge whether it is an official email
- For commonly used websites added to bookmarks, each time you use it, you will actively click instead of opening it elsewhere
fake official
"Phishing website" refers to a fake website used to deceive users. Its pages are basically the same as the interface of the real website, and the private key or mnemonic phrase of the user is deceived and stolen. Phishing websites generally have only one or a few pages, which are slightly different from real websites. This fraud has been around for a long time, and most of the gimmicks spread by scammers are to receive airdrops, help solve problems, or other means.
Fake official website phishing
Phishing website: https://adidas-meta.com/
1. The attacker first created a Twitter account that imitated the official Twitter account, and tweeted the Adidas Avatar free claim, and @ a lot of fans in the comment area.
2. Open the website, connect the wallet and click Claim Now, he will ask you to execute setApprovalForAll to authorize the attack account, and after you click Reject, he will always pop up the request box.
3. If you fail to close the phishing website in time, and it keeps popping up, you are just about to make a transaction. If you don’t see it clearly, you may mistake it for a request from Opensea and authorize it.
4. After the attacker or authorization, the attacker can transfer your NFT away.
how to avoid
- Double check that the Twitter account is official
- Whenever you see a signed request for setAppRovalForall, double check the authorization address
- If accidentally approved, revoke authorization as soon as possible before the attacker transfers the NFT