- Recently, scammers used Google ads to direct victims to a phishing website or a fake website designed to look like the original one.
- A crypto exchange lost $55 million last year after a developer clicked on a phishing attachment.
Web3, a decentralized online ecosystem that is based on the blockchain, has been a topic of interest among crypto enthusiasts, tech experts, and many other individuals. The early development of applications including cryptocurrencies and Non-Fungible Tokens (NFTs) have already been used to the advantage of cybercriminals with $14 billion worth of cryptos stolen in 2021. Even though blockchain is hailed as one of the most secured technologies on the internet, scammers or threat actors always find their way out, enticing targets to click on a malicious link. Before enthusiasts get excited about Web3, they should first familiarize themselves with some of the successful phishing scams recently launched.
Seed phrase phishing
Seed phrases are keys that unlock access to crypto accounts. Since these phrases are secret keys, threat actors mostly deceive victims into exposing them. Recently, scammers used Google ads to direct victims to a phishing website or a fake website designed to look like the original one. Victims were then asked to enter their recovery phrase as part of the account registration or recovery process. The phrases were as expected, exposed, and used to access the accounts of the victims to transfer all their funds.
Airdrops are very active marketing or promotional tools used by organizations to get more people involved in their products or brands. Interestingly, malicious actors have also taken over this campaign using it as a gateway to get access to the account of victims. Scammers used this method to steal collectibles worth hundreds of thousands of dollars on the NFT marketplace OpenSea last year.
Attackers do this by sending airdrop messages through emails, social media, or SMS to targets informing them that some tokens have been added to their accounts. They then direct them to an exchange and ask them to link their crypto wallets to claim their airdrops. After this is done, the scammers steal all the funds from their accounts.
This is a Web3 clickjacking that tricks targets to approve their tokens to be transferred to the scammers. Microsoft explains that users have difficulties in realizing that their transactions have been tampered with due to the smart contract interface. The scammers modify the spender’s address to their address and wait for the target to approve the transaction. To launch this campaign, they inject a malicious script into the smart contract front end to modify the smart contract UI. Last year, this method was used to steal $120 million from BadgerDAO exchange.
Fraudulent emails, websites, and social media accounts
Scammers are also known for creating fake URLs of emails, social media accounts, and websites to steal millions from people. Scammers usually embed this malicious link into attachments of get-rich-quick and pump-and-dump schemes. An example is a leading crypto exchange losing $55 million last year after the developer clicked on a phishing attachment.
It is important to note that no matter how secure Web3 is, scammers will always find a way. Fortunately, people can prevent this by not just clicking on any link they come across.