Posts

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y

These Guys Won't Give Up!

Image
Found another site similar to the ones I reported earlier this week to NameSilo.  It uses the same technique as the others, impersonating the official Guild of Guardians website quite closely but the "connect" button takes you to a pop up that looks like Meta Mask but asks for your secret phrase. This one was registered recently, on the 5th of May 2022, which leads me to believe this group of scammers is quite active. Would love to get some wallet addresses for these guys... do I dare fund a wallet and give up my seed phrase just to see where the funds go when they load up the wallet? Site has already been reported so here's hoping NameSilo takes this one down before it does too much damage. I've got at least one more post in me tonight or tomorrow to continue my thread on dnstwist, just wanted to get this one recorded while it was fresh in my mind. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email repo

Investigating More Look-a-Like Domains

Image
Scammers often use look-a-like domains in their phishing attacks, and so far in this blog I've looked at several websites impersonating the Guild of Guardians website.  Here I'll show you how to use a tool like dnstwist to generate a list of domains names and look for ones that are potentially hosting phishing sites.  This is part of scam hunting, as opposed to waiting for scams to be reported.  Many companies offer this service under the name "brand monitoring", and a number of them base their techniques on the dnstwist tool. You can find dnstwist, and instructions for installing it on the Github page: https://github.com/elceef/dnstwist Since I'm on a Mac I used brew install. Running the tool is very straight forward, and to start I just ran it with the --registered argument to output any domain variations that the tool found with a .com tld. % dnstwist --registered guildofguardians.com The tool checked 27987 variations, and out of those it found 20 with DNS reco

Progress For Now

Image
The crypto industry is taking an absolute beating this week, so please forgive me if I celebrate the little victories while I watch my crypto fortune dwindle to nothing... I received a response from NameSilo regarding three more scam webpages that have been impersonating the Guild of Guardians site for almost a year with a fake token sale.  In NameSilo's defense, I was reporting the sites in a batch, while I should have been reporting them one at a time.  Now all three sites have been taken down. For anyone keeping score that makes only one site left from the original batch of scam sites I found a while back. The last site is hosted with a registrar I've never heard of before, but we'll see if I can get some kind of response from their abuse email. A while ago I had asked whether reporting scam sites was worth it, and I honestly believe it makes a difference.  It might not seem like it, but if everyone reports these sites using the registrar's abuse emails, some are bou

NameSilo Abuse Reporting

Image
On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites: guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars. As an independent researcher, my success with getting sites taken down varies. In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report. I can only imagine the volume of phishing reports this registrar gets, and there

Update on Scam Sites

Image
Back in January I posted about several scam websites and listed them on this page: https://www.gogscamtracker.com/p/scam-address-list.html The good news is that some of the sites have been since taken down, but others that have been up since January are still up.  One scam site in particular is pictured here: It's hosted on several domains including one that was highlighted to me by someone from the community whose son was scammed. guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc I plan to do a much deeper dive on this site in particular and see if I can cooperate with the Guild of Guardians team to get these taken down (most domain registrars want the brand owner to initiate the takedown request), but first a short rant. When people get scammed in crypto there is a bit of victim blaming that goes around, that the victim should have known better.  When it comes to DeFi, and you're working with experienced investors, and they get phished