Everything you need to know about phishing scams on Web3
Web3, cryptography, blockchain, and NFT, the industry introduced by Satoshi Nakamoto back in 2009, has spawned a trillion-dollar industry that will only grow in the coming years. As money continues to pour into space, so do thieves, hackers, and other nefarious criminals who see an opportunity to take advantage of those with no experience or are blinded by dreams of getting rich. As possibilities pile up, it becomes harder for attackers to deny those opportunities, thus increasing the number of thefts of cryptocurrencies that occur over the years and the total amounts that are generally compromised.
Some words about Web3
Web3, a blockchain-based decentralized online ecosystem, has become a subject of interest for crypto enthusiasts, tech experts, and more. For example, at the beginning of 2022, YouTube CEO Susan Wojcicki announced that Web3 represented a «previously unimaginable opportunity to grow the connection between creators and their fans; on the same day, two of her executives announced they were leaving to join … Web3 companies. The early development of applications involving cryptocurrencies and tokens (NFTs) has already been exploited to the advantage of cyber criminals, with $14 billion worth of cryptocurrencies stolen in 2021. Even though blockchain is one of the most secure technologies on the Internet, scammers or threat actors always find a way out by luring targets to click on a malicious link. Before people get excited about Web3, they should first look at some of the successful phishing scams launched recently.
What is phishing?
Phishing scams have been around since before the advent of the Internet. Ever since homes had only landline phones, from time to time, a stranger could call home and lure an unsuspecting child into divulging information that could compromise the safety of that child or his family. In the internet age, this scam has evolved into tricking unsuspecting users into clicking on links,
who can then install various forms of malware or ransomware on their devices. Such software, when activated, can do anything from logging keystrokes to controlling a device. In the Web3 world, scammers use links differently – to lure users into divulging information that would allow an attacker to gain access to a user's wallet. Such attacks, if successful, can cause the victim to disclose seed phrases, private keys, and other data, which would give the scammers access to a user's savings.
To read more about these schemes, visit here.
The most famous phishing scams
Since Web3 relies on blockchain technology, it is inherently secure. But the fact remains that people will always be vulnerable to manipulation, so phishing is one of the top attack vectors. In addition, blockchain allows attackers to remain anonymous, and stolen funds are usually non-refundable. If you want to know more about blockchain technology, you can visit the platform ICOholder. Check it out: icoholder.com. Let's look at some of the most common cryptocurrency and blockchain phishing scams that recently surfaced.
Airdrops are a marketing, or promotional tool organizations use to encourage users to use their products, services, or platforms. Companies usually drop cryptocurrencies (or money) to a user's wallet address in exchange for an action, such as launching a new product, offering a new coin, promoting a brand, or signing up on social media. Since free money attraction and FOMO (fear of missing out), airdrops have become popular among early crypto investors.
However, airdrops are often used to run phishing campaigns. For example, through a giveaway, users may receive an email, SMS, or social media message about adding some random cryptocurrency to their wallet. The victim then goes to another exchange where she can sell the coin. The website asks victims to connect their wallets only to find out about the withdrawal of all funds. Last year, malicious NFTs sent over the air helped attackers steal hundreds of thousands of dollars worth of collectibles from the OpenSea NFT marketplace.
Like ice fishing in the real world, when a hole is made in a frozen lake to catch fish, ice phishing is a new Web3 clickjacking scheme that tricks users into assigning or delegating custom token endorsement to a cybercriminal. According to Microsoft, the user interface of the intelligent contract is such that it does not become apparent to the victim the transaction was fake. All the attacker must do is change the payer address to the attacker's address and wait for the victim to authorize the transaction by approving the attacker's account. (In the parlance of cryptography, a "spender" is allowed to spend on behalf of the owner.)
In this case, the attacker modified the intelligent contract's user interface by injecting a malicious script into the front end of the smart contract. A similar attack occurred on the BadgerDAO exchange late last year when attackers used ice phishing to steal $120 million worth of cryptocurrencies.
Fraudulent emails, websites, and social media accounts
Phishing emails and fake URLs are one of the oldest tricks in the book. Similarly, Web3 is rife with copycat websites, social media accounts, and scam emails. From get-rich-quick schemes to pump-and-dump schemes, fake promotions, and promising new cryptocurrencies, email scams cost users millions of dollars each year.
Last year, a leading cryptocurrency exchange lost $55 million because a cryptocurrency developer opened a phishing email with a malicious attachment. Cryptocurrency-related scams are growing exponentially on social media. Fraudsters often pose as genuine sources, celebrities, friends, or family members, encouraging users to visit fake websites or make fictitious investments. Two-faced developers resort to the famous scam as soon as investments pick up steam, leaving investors with worthless assets. The rug scam cost investors a whopping $2.8 billion in 2021.
Phishing with a seed phrase
In addition to the above three options for digital money fraud, it is worth talking about the features of using the seed phrase.
The so-called seed phrase is a master key that opens access to all digital assets. It's like giving someone your bank account username and password. Some phishing scams trick persons into divulging their seed phrase, causing them to lose funds stored in crypto wallets. For example, phishers exploited Google Ads to promote their scam and redirect users to phishing websites or browser extensions that appear legitimate. As a step of the account registration or recovery process, the unsuspecting victim must go through a recovery step provided by the attacker. The perpetrator then uses the exact phrase to empty the victim's wallet immediately. Popular crypto wallet Metamask alerted users to Twitter bots that asked users to enter their seed phrases on Google forms as part of the account recovery process.
Prospects for crypto crime
With the increase in the number of new entrants into the cryptocurrency space, the number of users and the money they bring with them will grow significantly in the coming years. While this will be good for the common area, it will also lead to a new wave of scammers and scammers who will constantly find ways to deprive people of their money. As incentives grow, so will the number of scammers and the sophistication of their schemes to trick people into divulging information that allows thieves to access funds.
New market entrants should be aware that the crypto world is very different from the traditional financial institutions that most people are used to dealing with. Banks and other custodians often have government or company-backed guarantees to protect their customers. The consequences of fraudulent charges on credit cards can be offset by card companies, while the bank or the government can insure the theft of bank deposits.
In Web3, all this disappears. On the positive side, people become masters of their money, having complete control over their assets at all times. The downside is that the people involved in such an economy are solely responsible for keeping their funds safe, as there are no third parties involved in this new era of finance. Once the funds leave the crypto wallet, they effectively disappear. Therefore, users must be aware of the types of scams mentioned above. Additionally, users should consider additional layers of security, including implementing a blockchain monitoring solution for their wallets. Such a solution will allow users to perform cryptographic monitoring and inform the wallet's owner of any activity in the wallet. You can quickly implement free blockchain monitoring solutions without technical knowledge. With crypto monitoring, the user instantly receives information when a transaction occurs that they did not authorize. Such knowledge could let the user report such actions immediately and possibly enable enough time to freeze the transaction before the blockchain confirms it.
Cryptocurrency is an exciting and transformative space to be a part of. However, users should regularly remember that the area is still in its infancy, and many proposed technologies are still developing. Vulnerabilities exist, and Web3 contributors must remember to always be on the lookout to protect their assets. Awareness of common scams and implementing blockchain monitoring solutions or other lines of defense are critical to keeping funds safe and secure.