We Need To Talk About Phishing

Growing up my parents always reminded me "Never talk to strangers".  I must have heard that bit of advice from just about every adult in my life at one point in time or another.  Back then I'm sure no one imagined that about 90% of the people we interact with online in the crypto space were going to be effectively digital strangers.

The modern day equivalent of "Never talk to strangers" in the crypto space is "Never sign contracts from unverified sources... especially if it originates from an email."  It's not quite as catchy, so maybe just "Don't digitally sign what you can't verify". We'll work on the slogan.

According to several sources, 254 NFT's were stolen yesterday from a set of OpenSea users, and you can find at least one description of the incident here.

The leading theory I've come across is that the users were tricked into signing a fake contract regarding the OpenSea migration via a phishing email, and that contract gave the adversaries permission to transfer their NFTs.  I'm not going to go into the details, because I don't have them all, and instead let's talk about phishing, because it's still the number one way that I see users getting compromised in a lot of different industries.

Phishing isn't just a Gen X problem.

In the Guild of Guardians community you're probably used to the Discord direct message scam, where someone masquerades as Guild of Guardians and promises you rewards in return for going to their site or sending them crypto.  It's kinda like the digital equivalent of the white van with the creepy dude offering kids candy.

Somewhere in between creepy dudes in vans and Discord scammers are phishing emails and here are some important tips on how to keep yourself safe from phishing emails.

Whenever you read an email where you might have to take some action, like clicking on a link to go somewhere, consider the following:
  • Do you recognize the sender?  Not just the display name, but the email address under it.
  • Were you expecting this email?
  • Is there some urgency to the email?  Like: "Click now or else! Time is running out!"
  • Is the email offering something that is too good to be true?
  • Do you have to click a link?
  • Is there someone you can check with to verify the email's legitimacy?
  • If there is a link, can you validate the authenticity of the url?
If you receive an email from anyone in the Guild of Guardians community there are a couple of things you can do on the Guild of Guardians official discord to help verify if it's legitimate.

You can ask in general if anyone else received a similar message and if someone from the Guild of Guardians team can confirm it's expected.  If there is a link in the email you can compare it to the list of official links in the official_links channel on the official Guild of Guardians Discord.  Remember there's often a difference between what the link displays and where it leads to.  For example this link: www.google.com looks like it goes to www.google.com, but it actually redirects to the Guild of Guardians official discord if you click on it.  You can hover over a link and it should display where it will actually take you.

Most important of all: I almost NEVER expect to receive an email from the Guild of Guardians team.  That's what we have Discord for!  However, as it turns out I did actually receive one regarding the grants program... which had a link... and I clicked on it.  Lucky for me it was legitimate.

If you receive an email impersonating Guild of Guardians feel free to send a copy to report@gogscamtracker.com and I'll be sure to pull it apart and write an article on it.  In the meantime, be safe out there, don't take candy from dudes in vans, don't talk to strangers in real life, don't sign contracts you can't verify and don't click on links in emails unless you are 100% sure they are legitimate.  Do report scams to the community so we can help keep each other safe.

Comments

Post a Comment

Popular posts from this blog

NameSilo Abuse Reporting

Image
On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites: guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars. As an independent researcher, my success with getting sites taken down varies. In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report. I can only imagine the volume of phishing reports this registrar gets, and there
Read more

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.
Read more

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y
Read more