foreword

first level title

On June 5, 2022, Beijing time, Zhichuangyu Blockchain Security Lab detected that the Discord community of the famous NFT project (Boring Ape) suffered another phishing attack, causing a loss of about 200 ETH. Prior to this, the famous singer Jay Chou suffered a phishing attack on April Fool's Day, causing the Boring Ape NFT in his inventory to be transferred by hackers.

In recent years, we have found that phishing incidents occur frequently in the web3 world, causing heavy losses to project parties and users. So today we will talk about what phishing is and how to prevent it.

secondary title

what is phishing

Phishing is essentially a form of social engineering, and hackers are increasingly using phishing attacks because it is easier and less expensive to trick people than break into an organization's computer network.

At the same time, it often takes advantage of the weakness of human nature to disclose some information related to the victim's immediate interests, catch the victim's panic and go to the doctor in a hurry, so as to disturb the victim's thinking and achieve the purpose of phishing attack.

first level title

Phishing attack methods

The essence of phishing attacks is deception. This article summarizes the following common phishing attack methods in the blockchain.

clone attack

The attacker creates the official website of the project by cloning. The cloned website has a similar name, domain name and front-end page as the official website, making it extremely difficult for users to distinguish the authenticity from the fake. And carry out project advertising campaigns on the Internet, tricking users into accessing their cloned addresses and logging in to their accounts, so as to steal the victims' login credentials, private keys, etc., and transfer the assets in the accounts.

social phishing

With the popularity of various social software, social phishing attacks have become very common. This type of attack is very common on social software commonly used by project parties such as Twitter, Facebook, Discord, and Telegram. Hackers hack into the accounts of well-known figures and use their accounts to publish posts containing phishing links, or create phishing posts such as airdrops and pre-sales on the homepage of cloned accounts of well-known figures, communities, etc. The names of these cloned accounts are very similar to those of the project party. Similar enough to be fake.

Fake Blockchain Applications

With the development of the blockchain network, various blockchain applications have emerged as the times require. Wallet applications are our most common applications. Attackers often launch malicious blockchain applications with background programs on the network. Once the user downloads and installs this type of application and logs in to his account in the application, the background program will record the account private key and password and send it to the attacker.

How to Protect Against Phishing

Phishing attacks are so rampant, how can we prevent them? The core of phishing attacks is deception. First of all, based on the user level, as an ordinary Internet user, we should learn how to identify phishing attacks. As a project party, we should actively remind users to beware of phishing attacks.

be wary of unknown letters

Be wary of inexplicable messages that appear to be from official accounts and tell you that there is something wrong with your account and urge you to click on the provided link to verify your login. Or it is declared that you have won a lottery, and you need to perform login verification on the website provided in the information.

Be careful clicking on links

Usually, there will be a phishing link in the phishing information we receive. This kind of link is usually a generated short link or a counterfeit official website link. It looks very similar to the official website link. We only need to compare it carefully with the official website link. Found clues.

Carefully check transaction information

Be wary of asset-related operations. The ultimate goal of phishing attacks is to obtain assets. Phishing information will create a sense of panic, claiming that the victim’s assets will be damaged and need to be transferred immediately, and will request the victim to transfer assets to a safe account or authorize the transaction request operate.

Protect Sensitive Information

Be wary of account passwords, mnemonic phrases, and private key requests. Phishing attacks will inadvertently require victims to provide sensitive information such as account passwords and private keys on phishing websites. Victims are often confused in websites that seem to be similar to official websites.

When we visit a phishing link, FishAlert automatically pops up a risk warning window:

When we visit unknown links, we can actively open the plug-in to detect the website:

first level title

• safety advice

• According to statistics, in 2021, the asset loss caused by phishing attacks in the blockchain network has exceeded 6.4 billion US dollars. It is the common responsibility of every project party and even every member in the web3 world to protect users' assets from loss. Tools to defend against phishing attacks. Each of us should raise awareness of prevention and jointly resist phishing attacks. Here, Zhichuangyu Blockchain Security Lab gives the following security suggestions:

• Be vigilant about asset transfer and transaction authorization information.

• Observe the network environment when entering the password and private key, and carefully confirm the official website address.