1. Analysis of common fishing techniques

1. Permit off-chain signature phishing

Permit is an extended function for authorization under the ERC-20 standard. Simply put, you can sign to approve other addresses to move your Token. The principle is that you use a signature to indicate that the authorized address can use your tokens through this signature, and then the authorized address takes your signature to perform on-chain permit interaction and obtains the call authorization and can transfer you. asset. Permit off-chain signature phishing is usually divided into three steps:

(1) The attacker forges phishing links or phishing websites to induce users to sign through the wallet (no contract interaction, no on-chain).

Signature object: DAI/USDC/WETH and other ERC20 tokens (here is DAI)

holder:// signature address

spender:// phisher address

nonce:0

expiry:1988064000 // Expiration time

allowed:true

If signed, the phisher will obtain the signature (a period of r, s, v values) used to steal DAI/USDC/WETH and other ERC20 tokens (here, DAI) from the victim. When the phisher interacts with the permit function need to be used).

(2) The attacker calls the permit function to complete authorization.

https://etherscan.io/tx/0x1fe75ad73f19cc4c3b658889dae552bb90cf5cef402789d256ff7c3e091bb662

(3) The attacker calls the transferFrom function to transfer the victim’s assets and complete the attack.

Let me first explain the difference between transfer and transferFrom. When we directly transfer ERC20, we usually call the transfer function in the ERC20 contract, and transferFrom is usually used when authorizing a third party to transfer the ERC20 in our wallet to other addresses. .

https://etherscan.io/tx/0x9c02340896e238fc667c1d84fec78af99b1642c986fe3a81602903af498eb938

Additional explanation: This signature is a Gas-free off-chain signature. After the attacker obtains it, he will perform permit and transferFrom on-chain interactions, so the authorization record cannot be seen in the on-chain record of the victim’s address. In the attacker’s address can be seen. Generally speaking, this signature is a one-time use and does not create repeated or ongoing phishing risks.

2. Permit2 off-chain signature phishing

Permit2 is a smart contract launched by Uniswap at the end of 2022 for the convenience of users. It is a token approval contract that allows token authorization to be shared and managed in different DApps. In the future, as more and more projects will be integrated with Permit2 , the Permit2 contract can achieve a more unified authorization management experience in the DApp ecosystem and save user transaction costs.

Before the emergence of Permit2, token exchange on Uniswap required authorization (Approve) and then exchange (Swap), which required two operations and the gas fees of two transactions. After the launch of Permit2, users can authorize all their quotas to Uniswap’s Permit2 contract at once, and each subsequent redemption only requires an off-chain signature.

Although Permit2 improves the user experience, it is followed by phishing attacks targeting Permit2 signatures. Similar to Permit off-chain signature phishing, Permit2 is also off-chain signature phishing. This attack is mainly divided into four steps:

(1) The prerequisite is that the user’s wallet has used Uniswap before being phished and authorized the token limit to Uniswap’s Permit2 contract (Permit2 will allow the user to authorize the entire balance of the token by default).

https://etherscan.io/tx/0xd8f0333b9e0db7175c38c37e490379bde5c83a916bdaa2b9d46ee6bff4412e8f

(2) The attacker forges phishing links or phishing pages to induce users to sign. The phishing attacker obtains the required signature information, which is similar to Permit off-chain signature phishing.

(3) The attacker calls the permit function of the Permit2 contract to complete authorization.

https://etherscan.io/tx/0xd8c3f55dfbc8b368134e6236b296563f506827bd5dc4d6c0df39851fd219d658

(4) The attacker calls the transferFrom function of the Permit2 contract to transfer the victim’s assets out and complete the attack.

https://etherscan.io/tx/0xf6461e003a55f8ecbe919a47b3c0dc6d0f068e48a941658329e35dc703138486

Supplementary note: There are usually multiple addresses where attackers receive assets. Usually one of the recipients with the largest amount is the attacker who implements phishing, and the others are black addresses that provide phishing-as-a-service (phishing-as-a-service DaaS providers). address, such as PinkDrainer, InfernoDrainer, AngelDrainer, etc.).

3. eth_sign on-chain blind sign fishing

eth_sign is an open signature method that can sign any hash. The attacker only needs to construct any malicious data that needs to be signed (such as token transfer, contract call, authorization acquisition, etc.) and induce the user to sign through eth_sign. The attack can be completed.

MetaMask will give a risk warning when signing eth_sign. Web3 wallets such as imToken and OneKey have disabled this function or provided risk warnings. It is recommended that all wallet manufacturers disable this method to prevent users from being attacked due to lack of security awareness or necessary technical accumulation.

4. personal_sign/signTypedData on-chain signature phishing

personal_sign and signTypedData are commonly used signature methods. Usually users need to carefully check whether the initiator, domain name, signature content, etc. are safe. If they are risky, they should be extra vigilant.

In addition, if personal_sign and signTypedData are used as “blind signatures” like the above, the user cannot see the clear text, which makes it easy to be used by phishing gangs, which will also increase the risk of phishing.

5. Authorized Phishing

By forging a malicious website or hanging a horse on the project’s official website, attackers induce users to confirm operations such as setApprovalForAll, Approve, Increase Approval, and Increase Allowance, obtain the user’s asset operation authorization, and commit theft.

（1）setApprovalForAll

Taking the PREMINT horse phishing incident as an example, a js file (https://s3-redwood-labs.premint.xyz/theme/js/boomerang.min.js) on the project website was injected with malicious code. A malicious js file (https://s3-redwood-labs-premint-xyz.com/cdn.min.js?v=1658050292559) will be created dynamically. The attack is initiated by this malicious script.

Because the user did not discover the risk in time, he confirmed the setApprovalForAll operation and inadvertently leaked the operation authorization for the asset, resulting in the asset being stolen.

（2）Approve

Similar to setApprovalForAll, the user confirmed the Approve operation, leaking the operation authorization for the asset, resulting in the asset being stolen.

Approve Misauthorization:

https://etherscan.io/tx/0x4b0655a5b75a9c078653939101fffc1d08ff7e5c89b0695ca6db5998214353fa

The attacker transfers assets through transferFrom:

https://etherscan.io/tx/0x0dedf25777ff5483bf71e70e031aacbaf50124f7ebb6804beb17aee2c15c33e8

The attack principle of the Increase Approval and Increase Allowance functions is similar to this. By default, the attacker’s upper limit for operating the victim’s address tokens is 0. However, after being authorized by these two functions, the attacker increases the limit for the victim’s tokens. operation limit, and then the amount of tokens can be transferred.

（3）Increase Approval

Increase Approval Misauthorization:

https://etherscan.io/tx/0x7ae694080e2ad007fd6fa25f9a22ca0bbbff4358b9bc84cc0a5ba7872118a223

The attacker transfers assets through transferFrom:

https://etherscan.io/tx/0x15bc5516ed7490041904f1a4c594c33740060e0f0271cb89fe9ed43c974a7a69

（4）Increase Allowance

Increase Allowance Misauthorization:

https://etherscan.io/tx/0xbb4fe89c03d8321c5bfed612fb76f0756ac7e99c1efaf7c4d99d99f850d4de53

The attacker transfers assets through transferFrom:

https://etherscan.io/tx/0xb91d7b1440745aa07409be36666bc291ecc661e424b21b855698d488949b920f

6. Address pollution phishing

Address pollution phishing is also one of the recent rampant phishing methods. The attacker monitors transactions on the chain and then forges malicious addresses based on the opponent’s address in the target user’s historical transactions. Usually the first 4 to 6 digits and the last 4 to 6 digits are related to the correct opponent. The addresses of both parties are the same, and then these malicious forged addresses are used to transfer small amounts or worthless tokens to the target user address.

If the target user copies the opponent’s address from historical transaction orders for transfer in subsequent transactions due to personal habits, it is very likely that the assets will be mistakenly transferred to a malicious address due to carelessness.

On May 3, 2024, 1155WBTC, worth more than 70 million U.S. dollars, was phished due to the pollution phishing method of this address.

Correct address: 0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91

Malicious address: 0xd9A1C3788D81257612E2581A6ea0aDa244853a91

Normal transaction:

https://etherscan.io/tx/0xb18ab131d251f7429c56a2ae2b1b75ce104fe9e83315a0c71ccf2b20267683ac

Address pollution:

https://etherscan.io/tx/0x87c6e5d56fea35315ba283de8b6422ad390b6b9d8d399d9b93a9051a3e11bf73

Misdirected transaction:

https://etherscan.io/tx/0x3374abc5a9c766ba709651399b6e6162de97ca986abc23f423a9d893c8f5f570

7. More subtle phishing, using CREATE2 to bypass security detection

At present, various wallets and security plug-ins have gradually implemented visual risk reminders for phishing blacklists and common phishing methods, and have also displayed signature information more and more completely, improving ordinary users’ ability to identify phishing attacks. However, offensive and defensive technologies are always competing against each other and constantly developing. More covert phishing methods are also constantly emerging, so we need to be more vigilant. Using CREATE2 to bypass the blacklist detection of wallets and security plug-ins is a relatively common method recently.

Create2 is an opcode introduced during the Ethereum ‘Constantinople’ upgrade that allows users to create smart contracts on Ethereum. The original Create opcode generates a new address based on the creator’s address and nonce. Create2 allows users to calculate the address before contract deployment. Create2 is a very powerful tool for Ethereum developers, enabling advanced and flexible contract interaction, parameter-based contract address pre-calculation, off-chain transactions and flexible deployment and adaptation of specific distributed applications.

While Create2 brings benefits, it also creates new security risks. Create2 can be abused to generate new addresses with no history of malicious transactions, bypassing wallet blacklist detection and security alerts. When a victim signs a malicious transaction, the attacker can deploy the contract on a pre-computed address and transfer the victim’s assets to that address, and this is an irreversible process.

Features of this attack:

(1) Allows predictive creation of contract addresses, allowing attackers to trick users into granting permissions before deploying the contract.

(2) Since the contract has not yet been deployed at the time of authorization, the attack address is a new address, and the detection tool cannot provide early warning based on the historical blacklist, which has higher concealment.

Here is an example of phishing using CREATE2:

https://etherscan.io/tx/0x83f6bfde97f2fe60d2a4a1f55f9c4ea476c9d87fa0fcd0c1c3592ad6a539ed14

In this transaction, the victim transferred the sfrxETH in the address to the malicious address (0x4D9f77), which is a new contract address without any transaction records.

But when you open the creation transaction of this contract, you can find that the contract completed a phishing attack at the same time as it was created, transferring assets from the victim’s address.

https://etherscan.io/tx/0x77c79f9c865c64f76dc7f9dff978a0b8081dce72cab7c256ac52a764376f8e52

Looking at the execution of this transaction, you can see that 0x4d9f7773deb9cc44b34066f5e36a5ec98ac92d40 was created after calling CREATE2.

In addition, by analyzing the relevant addresses of PinkDrainer, it can be found that this address is creating new contract addresses for phishing through CREATE2 every day.

https://etherscan.io/address/0x5d775caa7a0a56cd2d56a480b0f92e3900fe9722#internaltx

2. Fishing as a Service

Phishing attacks are becoming increasingly rampant, and due to the huge illegal profits, a black industry chain based on Drainer as a Service (DaaS) has gradually developed. The more active ones include Inferno/MS/Angel/Monkey/Venom/Pink/ Pussy/Medusa, etc., phishing attackers purchase these DaaS services, quickly and with low threshold, build thousands of phishing websites, fraudulent accounts, etc., like a scourge rushing into this industry, threatening the security of users’ assets.

Take Inferno Drainer, for example, a notorious phishing gang that embeds malicious scripts on different websites. For example, they spread seaport.js, coinbase.js, and wallet-connect.js to disguise themselves as popular Web3 protocol functions (Seaport, WalletConnect, and Coinbase) to induce users to integrate or click. After receiving user confirmation, they will automatically transfer user assets to to the attacker’s address. More than 14,000 websites containing malicious Seaport scripts, more than 5,500 websites containing malicious WalletConnect scripts, more than 550 websites containing malicious Coinbase scripts, more than 16,000 malicious domains related to Inferno Drainer, and more than 100 crypto brands have been discovered. brand names are affected. The following is a phishing website related to Inferno Drainer.

The head section of the website contains two malicious scripts, seaport.js and wallet-connect.js. Another typical feature of Inferno Drainer phishing websites is that users cannot open the website source code by right-clicking the mouse, which makes these phishing websites more concealed.

Under the Phishing-as-a-Service framework, typically 20% of stolen assets are automatically transferred to Inferno Drainer’s organizer address, with the remaining 80% retained by the phishing perpetrator. In addition, Inferno Drainer regularly provides free services to create and host phishing websites. Sometimes phishing services also require a fee of 30% of the defrauded funds. These phishing websites are for those who can attract victims to visit but lack the ability to create and designed by phishing attackers who either have the technical capabilities to host the website or simply don’t want to perform the task themselves.

So, how does this DaaS scam work? Here’s a step-by-step description of Inferno Drainer’s crypto scam scheme:

(1) Inferno Drainer promotes their service through a Telegram channel called Inferno Multichain Drainer, and sometimes attackers also access the service through Inferno Drainer’s website.

(2) The attacker sets up and generates his own phishing website through the DaaS service function, and spreads it through X (Twitter), Discord and other social media.

(3) Victims are induced to scan QR codes or other methods contained on these phishing websites to connect their wallets.

(4) Drainer checks the victim’s most valuable and easily transferable assets and initiates malicious transactions.

(5) The victim confirmed the transaction.

(6) Assets are transferred to criminals. Of the stolen assets, 20% were transferred to Inferno Drainer developers and 80% to phishing attackers.

Pictured below is the DaaS service page where Inferno Drainer shows customers their statistics: number of connections (if the victim has connected the wallet to the phishing site), successful clicks (if the victim has confirmed the transaction), and the value of the stolen assets.

Each customer of the DaaS service can customize its own Drainer functions:

3. Safety Suggestions

(1) First of all, users must not click on unknown links disguised as good news such as rewards, airdrops, etc.;

(2) Incidents of official social media accounts being stolen are increasing, and official information may also be phishing information, and official information does not mean it is absolutely safe;

(3) When using wallets, DApps and other applications, you must pay attention to screening and beware of counterfeit sites and fake apps;

(4) Any transaction or signature message that requires confirmation needs to be cautious, and try to cross-confirm the target, content and other information. Refuse to sign blindly, stay vigilant, doubt everything, and ensure that every step of the operation is clear and safe.

(5) In addition, users need to understand the common phishing attack methods mentioned in this article and learn to proactively identify phishing characteristics. Master common signatures, authorization functions and their risks, master Interactive (interaction URL), Owner (authorizer address), Spender (authorized party address), Value (authorized number), Nonce (random number), Deadline (expiration time), transfer/transferFrom (transfer) and other field contents.

Disclaimer：

1. This article is reprinted from [Foresightnews]. All copyrights belong to the original author [SharkTeam]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.