Identifying A Phishing Webpage
The last couple of months have been pretty exciting. First there was the Guild of Guardians pre-alpha, and you can find my non-security related coverage for that on my gaming YouTube channel here:
In addition to that, I’m also settling into a new job this month. Unfortunately, that means that I’ve lost access to my Chainalysis license from my last employer, who was graciously allowing me to use it for crypto scam research. I’m still working on setting up a replacement so I can get back into exploring some funds transfers. I know, I know, I could just use Etherscan and their variations, but Chainalysis spoiled me.
I'm not the only one whose had a busy couple of months. Scammers are still up to their same antics, and the sites are getting more and more convincing. If you've read my earlier posts you've seen a variety of phishing/scam site examples but most of them deviate quite a bit from the look and feel of the actual site.
For this one I felt like a video would help really drive home just how close adversaries can mimic a target site, and you can find the video here (https://youtu.be/OJu9HlJ2wsc):
The site in question, guildsofguardians[.]com, was flagged in the official Guild of Guardians discord channel, #report-scammers.
This is the kind of url that you could easily mistaken for the actual site, as it differs from the original by just one letter, the additional 's' at the end of guild. The page itself looks identical to the legitimate site, which is scary.
Most browsers are going to flag sites like this if they don't implement https properly, if either they don't support it at all or if they are using a certificate that isn't signed by a trusted provider. Here Firefox attempts to warn me with the red line through the lock if I browse to http instead of https. With most legitimate sites, if you try to navigate using http you'll be redirected to https. For example, if you try going to http://guildofguardians.com you'll be redirected to https://guildofguardians.com.
You can also inspect the site in Firefox to get more details on the URL.
With many crypto sites we've become accustomed to connecting our wallets early in our interactions, and the "Connect Wallet" button in the top right corner isn't unusual at first glance. If you click on connect wallet you’re prompted with a fairly convincing looking Metamask pop-up. In this case, I don't actually have the Metamask plugin installed on the Firefox browser I'm using, but still it pops up as though I did.
If you input any password, for example I just put in “testpassword”, you receive a page asking you to paste your secret recovery phrase. This is an absolutely huge red flag. You should never be prompted to input your secret recovery phrase… ever… if anyone ever asks you for this phrase related to Guild of Guardians you know immediately it’s a scam.