Down MetaMask Impersonation Rabbit Hole
It's Friday night. I should be doing something else. I have a VR headset literally two feet away from me collecting dust, and what I am I doing? I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique.
I created a short video demonstrating the technique, and if you're curious you can check it out here:
At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more.
I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation:
188.8.131.52 and 184.108.40.206
If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal. In some cases you'll come across IP addresses used by shared hosting providers, in other words you might find hundreds of legitimate websites hosted on the same IP address as a scam one. However, that's not what I found here.
On the graph above you see my starting point, guildofguardians[.]top, a scam website impersonating Guild of Guardians and using the fake MetaMask phishing page. You can also see it resolves to two Netherlands flags, one for each of the IP addresses above. Attached to those are two clumps of resolutions, over 250 domains resolve to those two IP addresses.
What sorts of sites you ask? How about Zerions[.]com or babyswaps[.]in?
Some of these sites have already been taken down by the looks of it, but some are still up. It looks like they are impersonating a variety of DeFi apps and games including:
- Guild of Guardians
NameSilo appears to be their registrar of choice, and I've had some luck with asking NameSilo to take down sites so long as I can provide screenshots, and fill out the form... one at a time...
This could be a long night, but I can't unsee all these scam sites, and I'm sure this is only the tip of the iceberg. VR will have to wait.
Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email firstname.lastname@example.org.
Post a Comment