Researcher-in-residence in the Forta community who previously spent 14 years...
The Web3 ecosystem has continued to grow at an unfathomable pace over the last couple of years, with some
In its most basic sense, a phishing attack is a type of online fraud that tricks unsuspecting users into revealing their sensitive private data — such as passwords, credit card numbers, etc. — to cybercriminals posing as trustworthy sources. These schemes can be facilitated via various avenues, including email, social media, or malicious websites.
In this regard, a
Lastly, the study states that over the first half of 2022, various hacks and exploits compromised over $2B. For perspective, this figure is already more than the total volume of funds lost during all of 2021. Researchers also believe this number will continue to rise in the near- to mid-term.
According to Web3 cybersecurity firm TRM Labs, crypto assets and non-fungible tokens (NFTs)
Phishing remains the first vector of attack for most hackers because it is designed to psychologically manipulate users — especially individuals who are not well-versed in today’s pervading cybersecurity trends.
To this point, most phishing scams use social engineering tactics where hackers send messages to their potential victims. These typically involve letting them know about a lucrative token launch, potential account breach, moonshot projects that can allow them to maximize their capital within days, etc. Furthermore, a vast majority of these messages require users to act within a fixed time window, thus playing up the element of FOMO (fear of missing out) in victims’ minds.
In essence, airdrops are promotional tools that many companies implement to get people to use their services. Because they provide signees with free money, they have become extremely popular among crypto enthusiasts over the past couple of years.
With that in mind, it’s no wonder why airdrops are prime avenues for carrying out phishing ploys. For instance, hackers can send out messages to unsuspecting individuals, telling them their wallets have been credited with a particular digital asset. Once the victim is lured in, they are redirected to a trading platform where they need to connect their wallets. However, as soon as this happens, the hackers can then steal their funds.
As pointed out earlier, the most common means of carrying out a phishing attack is using fake emails and URLs. Since the Web3 ecosystem is still relatively young, it is full of fraudulent yet realistic website fakes, copycat social media accounts, and more. Therefore, it is vital that users not respond to any unsolicited messages, no matter how tempting or real they may appear.
In this regard, it should be pointed out that late last year, an employee working for prominent crypto trading platform bZx opened a phishing mail that cost his firm a whopping $55M.
Also referred to as ‘Ice Phishing’, this is an elaborate scheme where hackers need to make amendments to the smart contract UI of a platform, primarily by injecting it with a malicious script. As a result, users unknowingly send funds to the wrong wallet address.
As most crypto users may be aware, a seed phrase is a set of random words that serves as a sort of ‘master key’, allowing anyone possessing them to access a person’s assets. In recent months, more and more hackers have begun using novel means (such as copycat websites, fake browser extensions, etc.) to phish out users’ seed keys. Once obtained, they can immediately drain the victim’s wallet of its holdings.
To fortify from phishing attacks, users must not respond to emails, SMSs, or other third-party messages (received via Telegram, Whatsapp, etc.) from an unknown source. Moreover, users must never supply their credentials or personal information in response to these messages since most reputable crypto firms will never ask their clients for such details.
It is also in crypto owners’ best interest to avoid sharing their credentials or personal information when using a public or shared WiFi network. Another good practice is to avoid having a false sense of security because one may be using a particular OS or smartphone that has been touted as ‘unhackable’. Whether one uses an iPhone, Linux, Mac, or iOS, the problem is not the device or the operating system itself — but the website in question.
Even if the Web3 ecosystem becomes more resilient to phishing attacks, hackers will still find novel ways to facilitate their nefarious deeds. Thus, it is in the best interest of crypto users to become wary of the various tactics employed by hackers, as well as the duty of cybersecurity firms to educate the masses to mitigate any potential issues.
Lead Image source.