Entering a new cycle, the risks of on-chain interactions are increasingly exposed as user activity increases. Phishers usually use fake wallet websites, steal social media accounts, create malicious browser plug-ins, send phishing emails and messages, and publish fake applications to induce users to disclose sensitive information, resulting in asset losses. Phishing forms and scenarios are diverse, complex, and hidden.

For example, phishers generally create fake websites that look similar to regular wallet websites to induce users to enter their private keys or mnemonics. These fake websites are usually promoted using social media, emails, or advertisements to mislead users into thinking that they are accessing regular wallet services, thereby stealing users' assets. In addition, phishers may use social media platforms, forums, or instant messaging applications to disguise themselves as wallet customer service or community administrators, send false messages to users, and ask them to provide wallet information or private keys. This method takes advantage of users' trust in the official and induces them to disclose private information, etc.

In short, these cases highlight the threat of phishing to Web3 wallet users. In order to help users improve their awareness of Web3 wallet security and protect their assets from loss, OKX Web3 conducted in-depth community research and collected phishing incidents encountered by many Web3 wallet users, thereby extracting the four most common typical phishing scenarios encountered by users, and through segmented cases in different scenarios, using a combination of graphic and text cases, we have written the latest guide on how Web3 users can conduct safe transactions for everyone to learn and refer to.

Sources of malicious information

1. Replies to popular projects on Twitter

Replies to popular projects on Twitter are one of the main ways of malicious information. Phishing Twitter accounts can be exactly the same as official accounts in terms of logo, name, certification logo, etc., and even the number of followers can be tens of K. The only thing that can distinguish the two is the Twitter handle (note the similar characters). Users must be careful.

In addition, many times, fake accounts will deliberately reply to official messages, but the reply content contains phishing links, which can easily make users think they are official links and be deceived. At present, some official accounts will add End of Tweet tweets in their tweets to remind users to guard against the risk of phishing links in subsequent replies.

2. Stealing official Twitter/Discord

To increase credibility, phishers will also steal the official Twitter/Discord of the project party or KOL, and publish phishing links in the official name, so many users are easily fooled. For example, Vitalik's Twitter account and the official Twitter of the TON project have been stolen, and phishers took the opportunity to publish false information or phishing links.

3. Google search ads

Phishers sometimes use Google search ads to publish malicious links. Users see the name displayed in the browser as an official domain name, but the link they jump to after clicking is a phishing link.

4. Fake applications

Phishers can also use fake applications to mislead users. For example, when users download and install fake wallets released by phishers, their private keys will be leaked and their assets will be lost. There are Telegram installation packages that have been modified by phishers, which have changed the on-chain addresses for receiving and sending tokens, resulting in the loss of user assets.

5. Countermeasures: OKX Web3 wallet supports phishing link detection and risk reminders

Currently, OKX Web3 wallet supports phishing link detection and risk reminders to help users better deal with the above problems. For example, when a user uses a browser to access a website through the OKX Web3 plug-in wallet, if the domain name is a known malicious domain name, an alarm reminder will be received immediately. In addition, if a user uses the OKX Web3 APP to access a third-party DAPP in the Discover interface, the OKX Web3 wallet will automatically perform risk detection on the domain name. If it is a malicious domain name, it will intercept and remind the user to access it.

Wallet Private Key Security

1. Conduct project interaction or qualification verification

Phishing will disguise as a plug-in wallet pop-up page or any other web page when the user is interacting with the project or verifying the qualifications, and ask the user to fill in the mnemonic/private key. These are generally malicious websites, and users should be vigilant.

2. Impersonate the customer service or administrator of the project

Phishing often impersonates the customer service of the project or the administrator of Discord, and provides a URL for the user to enter the mnemonic or private key. This indicates that the other party is a phisher.

3. Other possible paths for mnemonics/private keys to leak

There are many possible paths for user mnemonics and private keys to leak, including the computer being implanted with Trojan virus software, the computer using a fingerprint browser for robocalls, the computer using remote control or proxy tools, the mnemonics/private keys being screenshot and saved to the album, but uploaded and backed up to the cloud by malicious APP, but the cloud platform being invaded, the mnemonics/private keys being input and monitored, people around physically obtaining mnemonics/private keys files/papers, and developers pushing private key codes to Github, etc.

In short, users need to safely store and use mnemonics/private keys to better ensure the security of wallet assets. For example, as a decentralized self-hosted wallet, OKX Web3 wallet currently supports a variety of mnemonics/private key backup methods such as iCloud/Google Drive cloud, manual, and hardware. It has grown into a wallet that supports a relatively comprehensive private key backup method on the market, providing users with a relatively safe private key storage method. Regarding the issue of user private key theft, OKX Web3 wallet already supports a relatively comprehensive mainstream hardware wallet function such as Ledger, Keystone, and Onekey. The private key of the hardware wallet is stored in the hardware wallet device and is controlled by the user himself, thereby ensuring the security of assets. That is, the OKX Web3 wallet allows users to safely manage assets through hardware wallets while freely participating in on-chain token transactions, NFT markets, and various dApp project interactions. In addition, the OKX Web3 wallet has now launched the MPC private keyless wallet and the AA smart contract wallet to help users further simplify private key issues.

4 classic phishing scenarios

Scenario 1: Stealing main chain tokens

Phishers often name malicious contract functions with misleading names such as Claim and SeurityUpdate, while the actual function logic is empty, thus only transferring the user's main chain tokens. Currently, the OKX Web3 wallet has launched a transaction pre-execution function, which displays the asset and authorization changes after the transaction is on the chain, thereby further reminding users to pay attention to security. In addition, if the interactive contract or authorization address is a known malicious address, a red security reminder will be issued.

Scenario 2: Transfers to similar addresses

When a large transfer is detected, the phisher will generate an address with the same first few digits as the receiving address through address collision, use transferFrom to transfer a zero amount, or use fake USDT to transfer a certain amount, polluting the user's transaction history, hoping that the user will copy the wrong address from the transaction history for subsequent transfers to complete the fraud.

https://www.oklink.com/cn/trx/address/TT3irZR6gVL1ncCLXH3PwQkRXUjFpa9itX/token-transfer

https://tronscan.org/#/transaction/27147fd55e85bd29af31c00e3d878bc727194a377bec98313a79c8ef42462e5f

Scenario 3, on-chain authorization

Phishing usually tricks users into signing approve / increaseAllowance / decreaseAllowance / setApprovalForAll transactions, and upgrades using Create2 to generate pre-calculated new addresses, bypassing security detection, and defrauding users of authorization. OKX Web3 wallet will issue security reminders for authorized transactions. Users are advised to note that this transaction is an authorization-related transaction and be aware of the risks. In addition, if the transaction authorization address is a known malicious address, a red message reminder will be issued to prevent users from being deceived.

Scenario 4, Off-chain Signature

In addition to on-chain authorization, phishers will also phish by inducing users to sign off-chain. For example, ERC20 token authorization allows users to authorize another address or contract to a certain amount. The authorized address can transfer user assets through transferFrom. Phishers use this feature to commit fraud. Currently, OKX Web3 wallet is developing a risk warning function for such scenarios. When a user signs an offline signature, by parsing the signature authorization address, if a known malicious address is hit, the user will be warned of the risk.

Other phishing scenarios

Scenario 5, TRON account permissions

This type of scenario is relatively abstract. Generally, phishermen control users’ assets by obtaining their TRON account permissions. TRON account permission settings are similar to EOS, divided into Owner and Active permissions, and can be set up in a multi-signature format for permission control. The following permission settings have an Owner threshold of 2, and the weights of the two addresses are 1 and 2 respectively. The first address is the user address, and the weight is 1, and the account cannot be operated alone.

https://tronscan.org/#/wallet/permissions

https://www.oklink.com/trx/tx/1fe56345873425cf93e6d9a1f0bf2b91846d30ca7a93080a2ad69de77de5e45f

Scenario 6, Solana Tokens and Account Permissions

The phisher modifies the ATA account Ownership of the token through SetAuthroity, which is equivalent to transferring the token to the new Owner address. After the user is phished by this method, the assets are transferred to the phisher, etc. In addition, if the user signs the Assign transaction, the Owner of his normal account will be changed from System Program to a malicious contract.

Scenario 7, EigenLayer calls queueWithdrawal

Due to the design mechanism of the protocol itself and other issues, it is also easy to be exploited by phisher. Based on the queueWithdrawal call of EigenLayer, the middleware protocol of Ethereum, other addresses can be specified as withdrawers. The user was phished and signed the transaction. Seven days later, the specified address obtained the user's pledged assets through completeQueuedWithdrawal.

Explore the world on the chain, safety first

Safe use of Web3 wallets is a key measure to protect assets. Users should take precautions to prevent potential risks and threats. You can choose the well-known OKX Web3 wallet that has been audited by the industry to explore the world on the chain more safely and conveniently.

As the most advanced and comprehensive wallet in the industry, the OKX Web3 wallet is fully decentralized and self-hosted, supporting users to play with on-chain applications in one stop. It now supports 85+ public chains, and the three terminals of App, plug-in, and web page are unified, covering 5 major sections: wallet, DEX, DeFi, NFT market, DApp exploration, and supporting Ordinals market, MPC and AA smart contract wallets, exchange Gas, connect hardware wallets, etc. In addition, users can also increase the security of their wallets by safely protecting private keys and mnemonics, regularly updating wallet applications and operating systems, carefully handling links and information, and enabling multi-factor authentication.

In short, in the on-chain world, asset security is above all else.

Users need to keep in mind these 3 Web3 security rules: do not fill in mnemonics/private keys on any web page, carefully click the confirmation button on the wallet transaction interface, and the links obtained from Twitter/Discord/search engines may be phishing links.

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia