This scam was recently reported in the Guild of Guardians report-scammers channel and the scam originated from a discord user impersonating a Guild of Guardians admin.
The discord account that sent the scam message has already been banned, but I suspect other members of the community will be approached by a similar scam with new fake discord accounts.
Reminder: The Guild of Guardians Team will NOT direct message you, and will never ask you for the seed phrase to your wallet! Never ever share with anyone the seed phrase for your wallet. This is super important whether you're new to crypto or not. There is simply no reason for you to share your seed phrase with anyone.
With that aside, let's take a moment to explore how this scam works.
The scammer impersonates a Guild of Guardians team member and direct messages the victim telling them that they can help with their current issue. They provide a link to a site, in this case: hxxp://authtxn[.]weebly[.]com. I highly recommend you do not attempt to go to the site. When I browse these sites I do so from a virtual machine designed for this sort of thing.
Your first indication that there's something up is the link itself. The link is an http link, so it's not secure, it does not appear on the list of official Guild of Guardians links, and it has nothing to do with Guild of Guardians at all. Also, it's hosted on Weebly, one of those DIY hosting sites. They make it really easy for scammers to throw up a site in less then a few hours that looks reasonable.
In this case, the victim who received this discord message was keen enough to recognize a scam and report it. However, if they had followed the link they would have been redirected to: hxxps://www.authtxn[.]com. I expect future scams from these actors to use that link instead of the Weebly one.
If you head over to https://domaintools.com and search up the domain authtxn[.]com you'll find that it was registered recently, about three days ago. However, all other information about the registrant is protected so we don't get much there, but clearly it's a red flag that the domain is newly registered.
I'm not sure if this site is mimicking an actual product or not, but scrolling down there are three functions it provides and they all point to the same page: authtxn[.]weebly[.]com/wallets.html. It doesn't really matter if you're authenticating tokens, validating wallets, or authenticating NFT's, it all takes you to the same place.
The next page provides you a list of wallets, and while it might seem like you could pick your wallet, like the last page, all options lead you to the same next page: hxxps://www.authtxn[.]com/import-wallet.html. This is all part of the illusion of appearing legitimate by making the wallet connection process look like you have choices along the way.
So what are they after? Turns out they are after the seed phrase for your wallet. To import your wallet all you have to do is fill in a form with the name of your wallet provider and your 12, or possibly 24 word seed phrase. This is a pretty low sophistication social engineering attempt.
Hopefully, if you've been reading my posts on GoGScamTracker you would have never reached this stage in the scam and a Discord direct message from someone you don't know would have been enough for you to recognize a scam. However, I expect whoever is behind this scam is going to try and re-use these techniques in some other contexts such as phishing. The design is so generic that they are sure to be targeting projects other then Guild of Guardians.
I've flagged this website up to https://cryptoscamdb.org/ and will report to Weebly. Hopefully Weebly will get the site taken down.
Three posts in one day! Yep, it's been a busy weekend for scams, but I think that'll be all for now. If you come across any GoG related scams don't hesitate to @gogscamtracker on Twitter or email report@gogscamtracker.com. Stay safe out there.
Comments
Post a Comment