AuthTxn[.]com Scam

This scam was recently reported in the Guild of Guardians report-scammers channel and the scam originated from a discord user impersonating a Guild of Guardians admin.

The discord account that sent the scam message has already been banned, but I suspect other members of the community will be approached by a similar scam with new fake discord accounts.

Reminder: The Guild of Guardians Team will NOT direct message you, and will never ask you for the seed phrase to your wallet!  Never ever share with anyone the seed phrase for your wallet.  This is super important whether you're new to crypto or not.  There is simply no reason for you to share your seed phrase with anyone.

With that aside, let's take a moment to explore how this scam works.

The scammer impersonates a Guild of Guardians team member and direct messages the victim telling them that they can help with their current issue.  They provide a link to a site, in this case: hxxp://authtxn[.]weebly[.]com.  I highly recommend you do not attempt to go to the site.  When I browse these sites I do so from a virtual machine designed for this sort of thing.

Your first indication that there's something up is the link itself.  The link is an http link, so it's not secure, it does not appear on the list of official Guild of Guardians links, and it has nothing to do with Guild of Guardians at all.  Also, it's hosted on Weebly, one of those DIY hosting sites.  They make it really easy for scammers to throw up a site in less then a few hours that looks reasonable.

In this case, the victim who received this discord message was keen enough to recognize a scam and report it.  However, if they had followed the link they would have been redirected to: hxxps://www.authtxn[.]com.  I expect future scams from these actors to use that link instead of the Weebly one.


If you head over to https://domaintools.com and search up the domain authtxn[.]com you'll find that it was registered recently, about three days ago.  However, all other information about the registrant is protected so we don't get much there, but clearly it's a red flag that the domain is newly registered.

I'm not sure if this site is mimicking an actual product or not, but scrolling down there are three functions it provides and they all point to the same page: authtxn[.]weebly[.]com/wallets.html.  It doesn't really matter if you're authenticating tokens, validating wallets, or authenticating NFT's, it all takes you to the same place.




The next page provides you a list of wallets, and while it might seem like you could pick your wallet, like the last page, all options lead you to the same next page: hxxps://www.authtxn[.]com/import-wallet.html.  This is all part of the illusion of appearing legitimate by making the wallet connection process look like you have choices along the way.



So what are they after?  Turns out they are after the seed phrase for your wallet.  To import your wallet all you have to do is fill in a form with the name of your wallet provider and your 12, or possibly 24 word seed phrase.  This is a pretty low sophistication social engineering attempt.


Hopefully, if you've been reading my posts on GoGScamTracker you would have never reached this stage in the scam and a Discord direct message from someone you don't know would have been enough for you to recognize a scam.  However, I expect whoever is behind this scam is going to try and re-use these techniques in some other contexts such as phishing.  The design is so generic that they are sure to be targeting projects other then Guild of Guardians.

I've flagged this website up to https://cryptoscamdb.org/ and will report to Weebly.  Hopefully Weebly will get the site taken down.

Three posts in one day!  Yep, it's been a busy weekend for scams, but I think that'll be all for now.  If you come across any GoG related scams don't hesitate to @gogscamtracker on Twitter or email report@gogscamtracker.com.  Stay safe out there.

Comments

Post a Comment

Popular posts from this blog

NameSilo Abuse Reporting

Image
On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites: guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars. As an independent researcher, my success with getting sites taken down varies. In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report. I can only imagine the volume of phishing reports this registrar gets, and there
Read more

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.
Read more

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y
Read more