Web3 social engineering attack is a method that uses social engineering to manipulate users into divulging confidential information such as user accounts and passwords, inducing users to authorize, and transfer users’ cryptocurrency and NFT assets.Thereby jeopardizing the security and privacy of the Web3 network. In the following, we are going to introduce six types of social engineering attacks and provide specific prevention suggestions.
Discord has emerged as a thriving hub for encrypted users, fostering community connections and news sharing. However, its popularity does not make it immune to potential threats. In this dynamic space, malicious actors can stealthily distribute suspicious links aimed at stealing your valuable account credentials.
In the Discord communities, you may come across messages claiming that you have won a prize, but they are actually disguised phishing links.
Clicking the link will take you to a Discord-like website and prompt for authorization.
After clicking Authorize, another Discord login window will pop up.
First, we cannot drag this login window outside the current browser window.
Secondly, there are some suspicious signs in the displayed address. The address “https:\discord.com\login” uses backslash () to connect, while the official login address “https://discord.com/login ” use a forward slash (/) to navigate.
The window page looks very similar to the legitimate Discord login window, with very few differences. The official login window picture is as follows:
Once the user enters their account username and password on the phishing page, their personal account will be immediately leaked and sensitive information will be exposed. Fraudsters can then use this information to gain unauthorized access to user accounts and engage in fraudulent activity.
You can check the source code of the web page through the browser developer mode.
In the above phishing process, after clicking Authorization, the fake Discord login window that pops up is not actually a new window, but an embedded interface. How can you discover this?
Press the F12 key to enter the browser’s developer mode. In the Elements tab, you can view the HTML and CSS code of the current web page. For the part of the page that you suspect, such as this pop-up Discord login window, you can click on that section with the mouse, and usually, you can find the corresponding code in the Elements panel.
Checking the page source code, we found that this is an <img> tag, used to insert an image into the web page, and src is used to specify the path of the image.
Enter the developer mode of the browser from the official Discord login window, as shown in the figure below:
Therefore, when we find an anomaly, we can press F12 to enter the developer mode of the browser and view the page source code to determine whether our suspicion is correct. Especially when you click on unfamiliar links to claim rewards, you should approach every step with suspicion and caution.
On Twitter (now X), the popular platform for cryptocurrency enthusiasts, a major threat has emerged - phishing. Bad actors cleverly manipulate users with enticing airdrops and free NFTs. By redirecting them to deceptive websites, these attackers meticulously plan the loss of cryptocurrency and valuable NFT assets.
Airdrops and free NFTs are areas of great interest to many. Scammers take advantage of hijacked verified Twitter accounts to launch campaigns and redirect users to phishing websites.
Scammers use assets from legitimate NFT projects to create phishing websites.
They leverage popular services like Linktree to redirect users to fake pages that mimic NFT marketplaces such as OpenSea and Magic Eden.
Attackers will try to convince users to connect their cryptocurrency wallets (such as MetaMask or Phantom) to phishing websites. Unsuspecting users may unknowingly grant these phishing websites access to their wallets. Through this process, scammers can transfer cryptocurrencies such as Ethereum ($ETH) or Solana ($SOL), as well as any NFTs held in these wallets.
When users add relevant links in Linktree or other similar services, they need to verify the domain name of the link. Before clicking on any link, check that the linked domain name matches the real NFT marketplace domain name. Scammers may use similar domain names to imitate real markets. For example, the real market might be opensea.io, while the fake market might be openseea.io or opensea.com.co, etc.
Therefore, it is best for users to choose to manually add links. Below are the steps for manually adding a link:
First, you need to find the official website address you want to link to https://opensea.io/, and copy the URL.
Click “Add Link” in Linktree, enter the URL you just copied, and click the “Add” button.
After the addition is successful, you can see “Opensea” on the right. Click “Opensea” to redirect to the official Opensea official website.
Here, we will explain how attackers construct their phishing website domains to impersonate the official OpenAI website and deceive users into connecting to their own cryptocurrency wallet, resulting in the loss of cryptocurrencies or NFTs.
Scammers send phishing emails and links with subject lines such as “Don’t miss the limited-time OpenAI DEFI token airdrop.” The phishing email claims that GPT-4 is now only available to those who own OpenAI tokens.
After clicking the “Start” button, you will be redirected to the phishing website, openai.com-token.info.
Connect your wallet to a phishing website.
Users are enticed to click on a “Click here to claim” button, and upon clicking, they can choose to connect using popular cryptocurrency wallets such as MetaMask or WalletConnect.
After the connection is established, phishing websites are able to automatically transfer all cryptocurrency tokens or NFT assets from the user’s wallet to the attacker’s wallet, thereby stealing all the assets in the wallet.
If you know how to identify domain names in URLs, you will be able to effectively avoid web spoofing/phishing. Below, the key components of a domain name are explained.
Generally common websites are either second-level domain names or third-level domain names.
Explaining the phishing website above, openai.com-token.info.
Obviously, this phishing website is pretending to be OpenAI, and the official domain name of OpenAI is openai.com.
How did this phishing website pretend to be OpenAI?The attacker made the first half of the phishing URL look like “openai.com” by using the subdomain “openai” and the main domain “.com-token”, where “com-token” uses hyphens.
Telegram phishing is a notable cybersecurity issue. In these attacks, the malicious actors aim to take control of users’ web browsers to obtain critical account credentials. To illustrate this point more clearly, let’s take a step-by-step look at an example.
Scammers send private messages to users on Telegram, containing a link to the latest “Avatar 2” movie, and the address appears to be straightforward.
Once you open the link, you’ll arrive at a page that looks like a real link to the movie, and you can even watch the video. However, by this time, the hacker had gained control of the user’s browser.
From a hacker’s perspective, let’s take a look at how they exploit browser vulnerabilities using exploit tools to take control of your browser.
After examining the hackers’ control panel, it became clear that they had access to all information about the browsing users. This includes the user’s IP address, cookies, proxy time zone, etc.
Hackers have the ability to switch to the Google Mail phishing interface and conduct phishing attacks on Gmail users.
At this point, the front-end interface changes to the Google Mail login page. The user enters their account credentials and clicks the login button.
In the background, the hackers successfully receive the login username and password. By using this method, they maliciously obtain users’ account and password information, ultimately leading to the leakage of user information and causing financial losses.
You can enter the browser developer mode and check whether there are remotely loaded JavaScript scripts in the source code of the web page.This script is the key for the attacker to control the user’s browser. How can you determine if there is such a phishing script in the link you clicked?
In the phishing process mentioned above, when you enter the link for the movie “Avatar 2,” you can press the F12 key to enter the browser’s developer mode and discover that the link points to a remotely loaded JavaScript script. Hackers can control the browser remotely by executing the script, thus obtaining the user’s account and password.
While watching the “Avatar 2” movie on a regular website, we entered the developer mode of the browser and did not find any JavaScript scripts pointing to remote loading.
Here, taking the Metamask plugin as an example, we will explain how attackers can steal users’ wallet private keys using this plugin.
The attacker obtains the target user’s contact information, such as email address or social media account. Attackers pretend to be trusted entities, such as the official Metamask team or partners, and send phishing emails or social media messages to target users. Users receive an email impersonating MetaMask, asking to verify their wallet:
When the user clicks on “Verify your wallet,” they will be directed to the following page. This page claims to be the official website or login page of Metamask. During actual phishing attacks, we have identified two different phishing pages. The first one directly asks users to enter their private key, while the second one asks for the user’s recovery phrase. Both of these are designed to obtain the user’s Metamask key.
The attacker obtains the victim’s private key or recovery phrase and can use this information to access and control the target user’s Metamask wallet and profit by transferring or stealing the target user’s cryptocurrency.
If you need to install the Metamask extension on Chrome, the official link is https://metamask.io/
A phishing link is https://metamaskpro.metamaskglobal.top/#/, please be cautious and verify its authenticity.
When you receive an email that appears to be Metamask, you need to pay attention to the information of the sender and recipient:
The sender’s name and email address have serious spelling errors: “Metamaks” instead of “MetaMask”.
The recipient does not include your real name, some other information that identifies you, and a clearer description of what needs to be done. This proves that this email may be sent in bulk and not just to you.
Secondly, you can alsoCheck the authenticity of these links by domain name:
Click “Verify your wallet” to enter the phishing webpage, metamask.authorize-web.org. Analyze this domain name:
If you know the official domain name of metamask, metamask.io, you will easily find that you have been attacked by a phishing attack:
The phishing site’s domain name, metamask.authorize-web.org, has an SSL certificate, which tricks users into thinking it’s a safe place to trade. But you need to note that the use of MetaMask is only under the subdomain name of the registered top-level domain.
A VPN is an encryption technology used to protect the identity and traffic of Internet users. It encrypts and transmits user data by establishing a secure tunnel between the user and the Internet, making it difficult for third parties to invade and steal data. However, many VPNs are phishing VPNs, such as PandaVPN, letsvpn, and LightyearVPN to name a few. Phishing VPNs typically leak the user’s IP address.
When you connect using a VPN, your device sends a DNS request to the VPN server to get the IP address of the website you want to visit. Ideally, a VPN should handle these DNS requests and send them through the VPN tunnel to the VPN server, thus hiding your true IP address. If you are using a phishing VPN, a DNS leak can occur and your real IP address may be recorded in DNS query logs, making your online activities and access records traceable. This can destroy your privacy and anonymity, especially if you are trying to hide your real IP address.
When you use a VPN to surf the Internet, you can test whether the VPN is leaking your IP address through the ipleak.net or ip8.com websites. These websites can only display your public IP address, which is the IP address assigned to your Internet connection. If you are using a VPN service, these websites will display the IP address of the VPN server you are connected to, rather than your real IP address. This can help you verify whether the VPN is successfully hiding your real IP address.
You can check if your IP address has been compromised by following the instructions below:
Open your browser and visit ipleak.net, which will display your current IP address. As shown in the image below, your IP address appears as 114.45.209.20. And pointed out that “If you are using a proxy, it’s a transparent proxy.” This indicates that your IP address has not been leaked and that your VPN connection is successfully hiding your real IP address.
At this time, you can also query your real IP address through the ipconfig /all command line. If the IP address queried here is inconsistent with the IP address queried through ipleak.net, it means that your IP address is indeed hidden. If they match, your IP address is exposed. As shown in the figure below, the real IP address of the machine queried through ipconfig /all is 192.168.., which is inconsistent with 114.45.209.20 shown in the figure above, and the IP address is not leaked.
In summary, we have introduced six Web3 social engineering attacks in detail and provided corresponding identification and prevention measures. To effectively avoid Web3 social engineering attacks, you need to be more vigilant about unfamiliar links, emails, and messages from social platforms. In addition, we also recommend that you learn how to check the source code of web pages in the developer mode of the browser, how to identify real and fake domain names, how to self-check whether the IP address is leaked, and analyze the security risks involved. If you have any other questions about Web3 security or smart contract auditing, please feel free to contact usconnect. A member of our team will get back to you and assist you as soon as possible.
Web3 social engineering attack is a method that uses social engineering to manipulate users into divulging confidential information such as user accounts and passwords, inducing users to authorize, and transfer users’ cryptocurrency and NFT assets.Thereby jeopardizing the security and privacy of the Web3 network. In the following, we are going to introduce six types of social engineering attacks and provide specific prevention suggestions.
Discord has emerged as a thriving hub for encrypted users, fostering community connections and news sharing. However, its popularity does not make it immune to potential threats. In this dynamic space, malicious actors can stealthily distribute suspicious links aimed at stealing your valuable account credentials.
In the Discord communities, you may come across messages claiming that you have won a prize, but they are actually disguised phishing links.
Clicking the link will take you to a Discord-like website and prompt for authorization.
After clicking Authorize, another Discord login window will pop up.
First, we cannot drag this login window outside the current browser window.
Secondly, there are some suspicious signs in the displayed address. The address “https:\discord.com\login” uses backslash () to connect, while the official login address “https://discord.com/login ” use a forward slash (/) to navigate.
The window page looks very similar to the legitimate Discord login window, with very few differences. The official login window picture is as follows:
Once the user enters their account username and password on the phishing page, their personal account will be immediately leaked and sensitive information will be exposed. Fraudsters can then use this information to gain unauthorized access to user accounts and engage in fraudulent activity.
You can check the source code of the web page through the browser developer mode.
In the above phishing process, after clicking Authorization, the fake Discord login window that pops up is not actually a new window, but an embedded interface. How can you discover this?
Press the F12 key to enter the browser’s developer mode. In the Elements tab, you can view the HTML and CSS code of the current web page. For the part of the page that you suspect, such as this pop-up Discord login window, you can click on that section with the mouse, and usually, you can find the corresponding code in the Elements panel.
Checking the page source code, we found that this is an <img> tag, used to insert an image into the web page, and src is used to specify the path of the image.
Enter the developer mode of the browser from the official Discord login window, as shown in the figure below:
Therefore, when we find an anomaly, we can press F12 to enter the developer mode of the browser and view the page source code to determine whether our suspicion is correct. Especially when you click on unfamiliar links to claim rewards, you should approach every step with suspicion and caution.
On Twitter (now X), the popular platform for cryptocurrency enthusiasts, a major threat has emerged - phishing. Bad actors cleverly manipulate users with enticing airdrops and free NFTs. By redirecting them to deceptive websites, these attackers meticulously plan the loss of cryptocurrency and valuable NFT assets.
Airdrops and free NFTs are areas of great interest to many. Scammers take advantage of hijacked verified Twitter accounts to launch campaigns and redirect users to phishing websites.
Scammers use assets from legitimate NFT projects to create phishing websites.
They leverage popular services like Linktree to redirect users to fake pages that mimic NFT marketplaces such as OpenSea and Magic Eden.
Attackers will try to convince users to connect their cryptocurrency wallets (such as MetaMask or Phantom) to phishing websites. Unsuspecting users may unknowingly grant these phishing websites access to their wallets. Through this process, scammers can transfer cryptocurrencies such as Ethereum ($ETH) or Solana ($SOL), as well as any NFTs held in these wallets.
When users add relevant links in Linktree or other similar services, they need to verify the domain name of the link. Before clicking on any link, check that the linked domain name matches the real NFT marketplace domain name. Scammers may use similar domain names to imitate real markets. For example, the real market might be opensea.io, while the fake market might be openseea.io or opensea.com.co, etc.
Therefore, it is best for users to choose to manually add links. Below are the steps for manually adding a link:
First, you need to find the official website address you want to link to https://opensea.io/, and copy the URL.
Click “Add Link” in Linktree, enter the URL you just copied, and click the “Add” button.
After the addition is successful, you can see “Opensea” on the right. Click “Opensea” to redirect to the official Opensea official website.
Here, we will explain how attackers construct their phishing website domains to impersonate the official OpenAI website and deceive users into connecting to their own cryptocurrency wallet, resulting in the loss of cryptocurrencies or NFTs.
Scammers send phishing emails and links with subject lines such as “Don’t miss the limited-time OpenAI DEFI token airdrop.” The phishing email claims that GPT-4 is now only available to those who own OpenAI tokens.
After clicking the “Start” button, you will be redirected to the phishing website, openai.com-token.info.
Connect your wallet to a phishing website.
Users are enticed to click on a “Click here to claim” button, and upon clicking, they can choose to connect using popular cryptocurrency wallets such as MetaMask or WalletConnect.
After the connection is established, phishing websites are able to automatically transfer all cryptocurrency tokens or NFT assets from the user’s wallet to the attacker’s wallet, thereby stealing all the assets in the wallet.
If you know how to identify domain names in URLs, you will be able to effectively avoid web spoofing/phishing. Below, the key components of a domain name are explained.
Generally common websites are either second-level domain names or third-level domain names.
Explaining the phishing website above, openai.com-token.info.
Obviously, this phishing website is pretending to be OpenAI, and the official domain name of OpenAI is openai.com.
How did this phishing website pretend to be OpenAI?The attacker made the first half of the phishing URL look like “openai.com” by using the subdomain “openai” and the main domain “.com-token”, where “com-token” uses hyphens.
Telegram phishing is a notable cybersecurity issue. In these attacks, the malicious actors aim to take control of users’ web browsers to obtain critical account credentials. To illustrate this point more clearly, let’s take a step-by-step look at an example.
Scammers send private messages to users on Telegram, containing a link to the latest “Avatar 2” movie, and the address appears to be straightforward.
Once you open the link, you’ll arrive at a page that looks like a real link to the movie, and you can even watch the video. However, by this time, the hacker had gained control of the user’s browser.
From a hacker’s perspective, let’s take a look at how they exploit browser vulnerabilities using exploit tools to take control of your browser.
After examining the hackers’ control panel, it became clear that they had access to all information about the browsing users. This includes the user’s IP address, cookies, proxy time zone, etc.
Hackers have the ability to switch to the Google Mail phishing interface and conduct phishing attacks on Gmail users.
At this point, the front-end interface changes to the Google Mail login page. The user enters their account credentials and clicks the login button.
In the background, the hackers successfully receive the login username and password. By using this method, they maliciously obtain users’ account and password information, ultimately leading to the leakage of user information and causing financial losses.
You can enter the browser developer mode and check whether there are remotely loaded JavaScript scripts in the source code of the web page.This script is the key for the attacker to control the user’s browser. How can you determine if there is such a phishing script in the link you clicked?
In the phishing process mentioned above, when you enter the link for the movie “Avatar 2,” you can press the F12 key to enter the browser’s developer mode and discover that the link points to a remotely loaded JavaScript script. Hackers can control the browser remotely by executing the script, thus obtaining the user’s account and password.
While watching the “Avatar 2” movie on a regular website, we entered the developer mode of the browser and did not find any JavaScript scripts pointing to remote loading.
Here, taking the Metamask plugin as an example, we will explain how attackers can steal users’ wallet private keys using this plugin.
The attacker obtains the target user’s contact information, such as email address or social media account. Attackers pretend to be trusted entities, such as the official Metamask team or partners, and send phishing emails or social media messages to target users. Users receive an email impersonating MetaMask, asking to verify their wallet:
When the user clicks on “Verify your wallet,” they will be directed to the following page. This page claims to be the official website or login page of Metamask. During actual phishing attacks, we have identified two different phishing pages. The first one directly asks users to enter their private key, while the second one asks for the user’s recovery phrase. Both of these are designed to obtain the user’s Metamask key.
The attacker obtains the victim’s private key or recovery phrase and can use this information to access and control the target user’s Metamask wallet and profit by transferring or stealing the target user’s cryptocurrency.
If you need to install the Metamask extension on Chrome, the official link is https://metamask.io/
A phishing link is https://metamaskpro.metamaskglobal.top/#/, please be cautious and verify its authenticity.
When you receive an email that appears to be Metamask, you need to pay attention to the information of the sender and recipient:
The sender’s name and email address have serious spelling errors: “Metamaks” instead of “MetaMask”.
The recipient does not include your real name, some other information that identifies you, and a clearer description of what needs to be done. This proves that this email may be sent in bulk and not just to you.
Secondly, you can alsoCheck the authenticity of these links by domain name:
Click “Verify your wallet” to enter the phishing webpage, metamask.authorize-web.org. Analyze this domain name:
If you know the official domain name of metamask, metamask.io, you will easily find that you have been attacked by a phishing attack:
The phishing site’s domain name, metamask.authorize-web.org, has an SSL certificate, which tricks users into thinking it’s a safe place to trade. But you need to note that the use of MetaMask is only under the subdomain name of the registered top-level domain.
A VPN is an encryption technology used to protect the identity and traffic of Internet users. It encrypts and transmits user data by establishing a secure tunnel between the user and the Internet, making it difficult for third parties to invade and steal data. However, many VPNs are phishing VPNs, such as PandaVPN, letsvpn, and LightyearVPN to name a few. Phishing VPNs typically leak the user’s IP address.
When you connect using a VPN, your device sends a DNS request to the VPN server to get the IP address of the website you want to visit. Ideally, a VPN should handle these DNS requests and send them through the VPN tunnel to the VPN server, thus hiding your true IP address. If you are using a phishing VPN, a DNS leak can occur and your real IP address may be recorded in DNS query logs, making your online activities and access records traceable. This can destroy your privacy and anonymity, especially if you are trying to hide your real IP address.
When you use a VPN to surf the Internet, you can test whether the VPN is leaking your IP address through the ipleak.net or ip8.com websites. These websites can only display your public IP address, which is the IP address assigned to your Internet connection. If you are using a VPN service, these websites will display the IP address of the VPN server you are connected to, rather than your real IP address. This can help you verify whether the VPN is successfully hiding your real IP address.
You can check if your IP address has been compromised by following the instructions below:
Open your browser and visit ipleak.net, which will display your current IP address. As shown in the image below, your IP address appears as 114.45.209.20. And pointed out that “If you are using a proxy, it’s a transparent proxy.” This indicates that your IP address has not been leaked and that your VPN connection is successfully hiding your real IP address.
At this time, you can also query your real IP address through the ipconfig /all command line. If the IP address queried here is inconsistent with the IP address queried through ipleak.net, it means that your IP address is indeed hidden. If they match, your IP address is exposed. As shown in the figure below, the real IP address of the machine queried through ipconfig /all is 192.168.., which is inconsistent with 114.45.209.20 shown in the figure above, and the IP address is not leaked.
In summary, we have introduced six Web3 social engineering attacks in detail and provided corresponding identification and prevention measures. To effectively avoid Web3 social engineering attacks, you need to be more vigilant about unfamiliar links, emails, and messages from social platforms. In addition, we also recommend that you learn how to check the source code of web pages in the developer mode of the browser, how to identify real and fake domain names, how to self-check whether the IP address is leaked, and analyze the security risks involved. If you have any other questions about Web3 security or smart contract auditing, please feel free to contact usconnect. A member of our team will get back to you and assist you as soon as possible.