Identifying A Phishing Webpage

The last couple of months have been pretty exciting. First there was the Guild of Guardians pre-alpha, and you can find my non-security related coverage for that on my gaming YouTube channel here:

https://youtube.com/playlist?list=PLri5gwePt7qhj6_BdeiN5jLKmJ4nK9Grh

In addition to that, I’m also settling into a new job this month.  Unfortunately, that means that I’ve lost access to my Chainalysis license from my last employer, who was graciously allowing me to use it for crypto scam research.  I’m still working on setting up a replacement so I can get back into exploring some funds transfers. I know, I know, I could just use Etherscan and their variations, but Chainalysis spoiled me.


I'm not the only one whose had a busy couple of months.  Scammers are still up to their same antics, and the sites are getting more and more convincing.  If you've read my earlier posts you've seen a variety of phishing/scam site examples but most of them deviate quite a bit from the look and feel of the actual site.


For this one I felt like a video would help really drive home just how close adversaries can mimic a target site, and you can find the video here (https://youtu.be/OJu9HlJ2wsc):






The site in question, guildsofguardians[.]com, was flagged in the official Guild of Guardians discord channel, #report-scammers.




This is the kind of url that you could easily mistaken for the actual site, as it differs from the original by just one letter, the additional 's' at the end of guild. The page itself looks identical to the legitimate site, which is scary.


Most browsers are going to flag sites like this if they don't implement https properly, if either they don't support it at all or if they are using a certificate that isn't signed by a trusted provider. Here Firefox attempts to warn me with the red line through the lock if I browse to http instead of https. With most legitimate sites, if you try to navigate using http you'll be redirected to https. For example, if you try going to http://guildofguardians.com you'll be redirected to https://guildofguardians.com.


You can also inspect the site in Firefox to get more details on the URL.



With many crypto sites we've become accustomed to connecting our wallets early in our interactions, and the "Connect Wallet" button in the top right corner isn't unusual at first glance. If you click on connect wallet you’re prompted with a fairly convincing looking Metamask pop-up. In this case, I don't actually have the Metamask plugin installed on the Firefox browser I'm using, but still it pops up as though I did.



If you input any password, for example I just put in “testpassword”, you receive a page asking you to paste your secret recovery phrase.  This is an absolutely huge red flag.  You should never be prompted to input your secret recovery phrase… ever… if anyone ever asks you for this phrase related to Guild of Guardians you know immediately it’s a scam.




If you give someone these 12 words they will be able to access your account and take your funds. If I input a few random words and hit confirm behind the scenes the adversary is just recording these words for later use.

If you fall victim to a phishing site like this there is nothing anyone can do to save your crypto, it's basically a race against time between you and the adversary to see who can move your funds out of your wallet first. If you're curious, you can do a bit of domain research using DomainTools to see when this site was registered and DomainTools is free to use for a limited number of queries.


Here you see the domain was registered only two weeks ago. However, most of the information here is protected for privacy reasons. You can see that the domain was registered on Namecheap and I'll be sending an email to the abuse email address to report this site. Hopefully Namecheap will take action revoking the domain ownership from the bad actors. This is like playing whack-a-mole though, and if you've been following my work you'll recognize that as sites are taken down, more pop up. Having said that, we as the Guild of Guardians community can help keep each other informed on these sites and make some effort to get these sites taken down before they victimize our fellow Guardians.
If you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com. Stay safe out there.

Comments

Post a Comment

Popular posts from this blog

NameSilo Abuse Reporting

Image
On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites: guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars. As an independent researcher, my success with getting sites taken down varies. In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report. I can only imagine the volume of phishing reports this registrar gets, and there
Read more

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.
Read more

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y
Read more