Dealing with ENS Names? Beware of this phishing attack…

Sending money to a .eth domain instead of plain ethereum address? Accessing a smart contract by it’s publicized .eth name? Or, buying a coveted name on an aftermarket auction platform like https://enslisting.com? You need to be aware of this attack vector.

The names are not what they look.

Here is a small warm up exercise. Spot the infested names from the list below:

1a. microsoft​.eth

1b. micorsoft.eth

1c. microsoft.eth

2a. dark​market.eth

2b. darkmarket.eth

If you answered 1b, wrong!

micorsoft is the misspelling for microsoft, but that one atleast you can spot if you are being careful. What if I told you 1a and 2a are also infested?

Here is the next exercise.

Open multiple windows of https://etherscan.io/enslookup, copy 1a and 1c and paste them on two different windows (on the search boxes). Look closely the namehash, owner, and highest bid:

Notice, one name was bought for 60 ETH, and the other one for 0.01 ETH.

If you were asked to send 5 ETH to microsoft, will you send to microsoft​.eth or microsoft.eth?

One of those names has a Zero Width character at the end, more like microsoft<invisiblecharacter>.eth

Until all the Wallet Clients take care of this and alert users, you need to be vigilant.

Here are a few things you can do:

1. First, copy the address into notepad, and use the arrow keys on your keyboard to go from beginning to end. does the name pause at any character and requires two keystrokes to move to the next char? You just spotted a non printable character.
2. Now, copy the address as it is, paste it in etherscan.io/enslookup. Open another window of etherscan, type in the correct spelling yourself. Does the namehash on both windows match? If not, you just saved yourself from a phishing attack.

Let me know if that helps. I had raised the ticket https://github.com/ethereum/ens/issues/240 for this, depending on what wallet client you use, you may or may not be at risk. Better be safe than sorry.

Now, a final exercise. Spot which version of darkmarket is infested, and where the infested character is.

<11/10/2017> The plot thickens.

See anything wrong with this name?

micrоsoft.eth

It is also an infested name, try to figure out what is wrong with it (the arrow keys trick wont cut it this time).

Finished your research? This apparently is a legally valid name per UTS46 standards, the o after r is not the regular o, it is Cyrillic Small Letter O https://vazor.com/unicode/c043E.html

Coincidentally, Nick Johnson alluded to a second layer blacklist / reputation oracle running on top of ENS registry to weed out these names though consensus mechanism, that should probably bubble up to the top in terms of priority. See the link for the video here https://medium.com/@enslisting.com/ens-talk-at-devcon-3-the-unoffical-summary-66afdb2247d1

Till then, no copy/paste, please use the good old keyboard to type in ens names letter by letter folks!

Mano Samy