5 Cunning Tricks Phishing Scammers Used Last Year: SlowMist

Blockchain security firm SlowMist has highlighted five common phishing techniques used by crypto fraudsters on victims in 2022, including malicious browser bookmarks, fake sales orders and Trojan malware spread on messaging app Discord.

It comes after the security firm recorded a total of 303 blockchain security incidents for the year, with 31.6% of those incidents being caused by identity theft, carpet pulling or other fraud, according to a Jan. 9 SlowMist blockchain security report.

Pie chart of attack methods in 2022 in percentage. Source: SlowMist

Malicious browser flags

One phishing strategy uses tag managers, a feature in most modern browsers.

SlowMist said scammers were exploiting this to ultimately gain access to the project owner’s Discord account.

“By inserting JavaScript code into tags via these phishing pages, attackers can potentially gain access to Discord user data and take over project owner account permissions,” the company wrote.

After directing victims to add a malicious tag via a phishing site, the scammer waits until the victim clicks on the tag while logged into Discord, which triggers embedded JavaScript code and sends the victim’s personal information to the scammer’s Discord channel.

During this process, the scammer can steal the victim’s Discord token (discord username and password encryption) and gain access to their account, allowing them to post fake messages and links to multiple phishing scams posing as the victim.

‘Purchase without dollars’ NFT phishing

Of the 56 major NFT security breaches, 22 were the result of phishing attacks, according to SlowMist.

One of the more popular methods used by fraudsters tricks victims into signing NFTs for virtually nothing via a fake sell order.

Once the victim signs the order, the fraudster can buy the user’s NFTs through the marketplace at a price they set themselves.

Vote now!

“Unfortunately, it is not possible to deauthorize a stolen signature through sites like Revoke,” SlowMist wrote.

“However, you can deauthorize any previous pending accounts you’ve set up, which can help reduce the risk of phishing attacks and prevent an attacker from using your signature.”

Trojan horse currency theft

According to SlowMist, this type of attack usually occurs via private messages on Discord where the attacker invites victims to participate in testing a new project, then sends the program in the form of a compressed file containing an executable file of about 800 MB.

After downloading the program, it will scan files containing keywords like “wallet” and upload them to the attacker’s server.

“The latest version of RedLine Stealer also has the ability to steal cryptocurrency, scan the installed digital currency wallet information on the local computer and upload it to the remote control machine,” SlowMist said.

“In addition to stealing cryptocurrency, RedLine Stealer can also upload and download files, execute commands, and send occasional information about the infected computer.”

An example of a RedLine Stealer in action. Source: SlowMist

‘Blank check’ eth_sign phishing

This phishing attack allows fraudsters to use your private key to sign any transaction they choose. After connecting your wallet to a scam site, a signature submission box may pop up with a red warning from MetaMask.

Once signed, attackers gain access to your signature, allowing them to construct any data and ask you to sign it via eth_sign.

“This type of phishing can be very confusing, especially when it comes to authorization,” the company said.

Scam with the same port number ending

For this scam, attackers throw small amounts of tokens, such as 0.01 USDT or 0.001 USDT to victims often with a similar address except for the last few digits, hoping to trick users into accidentally copying the wrong address in their transfer history.

An example of an identity theft attempt with the same ending number. Source: SlowMist

The rest of the 2022 report covered other blockchain security incidents of the year, including contract vulnerabilities and private key leaks.

Related: DeFi-type projects received the highest number of attacks in 2022: Report

There were approximately 92 attacks exploiting contract vulnerabilities in the year, totaling nearly $1.1 billion in losses due to design flaws in smart contracts and hacked programs.

On the other hand, private key theft was responsible for approximately 6.6% of attacks and resulted in at least $762 million in losses, the most prominent examples being Ron’s bridge and Harmony’s Horizon Bridge hacks.