{"id":9913,"date":"2024-01-18T14:00:00","date_gmt":"2024-01-18T12:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/web3-phishing-how-to-protect-yourself-and-your-assets\/"},"modified":"2024-01-18T14:00:00","modified_gmt":"2024-01-18T12:00:00","slug":"web3-phishing-how-to-protect-yourself-and-your-assets","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/web3-phishing-how-to-protect-yourself-and-your-assets\/","title":{"rendered":"Web3 phishing: how to protect yourself and your assets"},"content":{"rendered":"

Spam and phishing are two perennial scourges of the internet at every stage of its evolution. Web3 is no exception. Vladimir Menaskop explains how to fend off phishing attacks on your crypto-assets for ForkLog readers: Vladimir Menaskop<\/a>.<\/em><\/p>\n

Three pillars: security, diversification, customisation<\/strong><\/h2>\n

If that reads like a mere string of words, it is time to reflect: without these three steps, your crypto-world will never be in good order. Let us start with security.<\/p>\n

I have covered it here<\/a> and here<\/a>, so I will emphasise only the points I did not write about earlier:<\/p>\n

    \n
  1. If you devote time to security only once a year, you are already potentially compromised. It does not matter whether that is your email ending up in a spam database or a password leaked from some site (say, an exchanger).<\/li>\n
  2. If you use only convenient but closed software, you are already potentially compromised. The OS<\/span> community tends to work both faster and more collegially\u2014and, crucially, continuously rather than sporadically.<\/li>\n
  3. If you have not tried working with complex extensions, wallets and other official dapps<\/span> such as Bitcoin Core or Polkadot JS, you probably have not fully \u201cfelt\u201d the process and are, potentially\u2014yes\u2014already compromised.<\/li>\n<\/ol>\n

    All three theses may sound like bedtime scare stories, but the following examples suggest otherwise.<\/p>\n

    Example No. 1. Our arch-enemy is not stairs, but advertising<\/strong><\/h3>\n

    One late evening I needed to exchange a small sum in ETH. Where would most of us go? So I went to BestChange. But I broke my own rule: \u201cType the address by hand, not via search\u201d.<\/p>\n

    I typed it into Google (a fatal mistake, but errors tend to come in chains) and clicked the first link.<\/p>\n

    Predictably, it was phishing. The \u201ccompany of good\u201d filtered crypto projects from its search results\u2014but only the honest ones. Phishing sites mimicking the largest aggregator slipped through. And the replica was excellently done: no bugs, no typos, even an SSL certificate. The difference\u2014one letter. A classic, well staged and well drawn.<\/p>\n

    \"Phishing
    Data: Google.<\/figcaption><\/figure>\n

    In the end I found the route I needed and followed a link to a site that, of course, was also fake. What is more, it looked exactly like the one I had used before. Then I made a third unforgivable mistake: I did not log in, because the amount seemed small and it was already late.<\/p>\n

    That was it. My ether settled permanently in the scammers\u2019 pockets.<\/p>\n

    How could this have been avoided?<\/p>\n

    Here are a few simple rules:<\/p>\n

      \n
    1. Memorise and type manually the addresses of sites you use (DEX<\/span>, wallets, aggregators), and add them to bookmarks: that gives you at least two sources for cross\u2011checking. Only then use search engines as a third, independent source; preferably not Google, Yandex or Baidu but something without ads or other spam. Several working options can be found here<\/a>.<\/li>\n
    2. Wherever you can customise, do so: Gmail wallpapers, partner authorisation on BestChange, a personal account at an exchanger, and much else. Welcome messages and internal account names work especially well: even CEX<\/span> now do this; in the decentralised world neglecting it is a sin.<\/li>\n
    3. And, of course, always verify wallet addresses (numbers): exchanges often index them.<\/li>\n<\/ol>\n

      Individually these points are weak; together they work. Phishing ads still show up on Facebook, so my example will remain relevant for a long time yet.<\/p>\n

      Example No. 2. Approvals: the bane of crypto<\/strong><\/h3>\n

      This case, unlike the previous one, did not happen to me\u2014and quite recently. I will try to reconstruct the chronology.<\/p>\n

      Initially, a crypto-enthusiast (let us call him E.) had the seed from a Trezor<\/a> hardware wallet, on which BTC was stored under a passphrase<\/a>\u2014an excellent setup in itself.<\/p>\n

      Then came a series of errors. I quote: \u201cI imported this seed into a [mobile wallet]. Apparently to check how import works and to make sure that the presence of bitcoin is not visible in the mobile wallet. That is how it was; I made sure.\u201d<\/p>\n

      Importing a seed phrase from a hardware wallet into a mobile one is a serious mistake: it defeats the very purpose of keeping keys on the device. I quote further:<\/p>\n

      \n

      \u201cIn autumn 2022 I switched from a PC to a Mac and installed MetaMask as a Chrome extension, because it is inconvenient to live without it. [But for a long time I did not] use it. Deciding to use this same seed for BEP-20 token operations, I topped up [the wallet] on 1 December 2022 with a small portion of BNB from someone and, apparently, started to connect somewhere via Wallet Connect (where and why, I do not remember).\u201d<\/p>\n<\/blockquote>\n

      Here the difference is clear: the Wallet Connect library has been attacked more than once, including through phishing, and in fact the funds were no longer offline but online (after importing the seed phrase). That at least doubled the risk compared with standard storage on a Trezor.<\/p>\n

      We move on in the victim\u2019s account: \u201cIn the process of connecting and [testing] I made an approval for the scammer to operate with BUSD (why, I do not remember), and since it was Wallet Connect and the interface there is not great, [plus] lagging, [I] did not understand this or did not attach importance to it. It is important that the approval was made by me in the [mobile wallet] via Wallet Connect. I clarified [this] with [the mobile wallet\u2019s developers], the screenshot<\/span> shows this exactly. That is, MetaMask has nothing to do with it.\u201d<\/p>\n

      The key takeaway from this part is that everything in crypto changes constantly. When we do something unthinkingly, it is then hard to reconstruct the full picture and determine the level of security under control. The rest of the story proves it. I quote:<\/p>\n

      \n

      \u201c[Later in the mobile wallet] Wallet Connect did not work, and I needed to make an SBT, so I moved to MetaMask and [started] doing operations in the BSC network from it, connecting to a dapps site\u2026 Everything was ok, and since the BUSD BEP-20 token was not involved here, there was nothing for the scammer, who had access, to steal; the approval was waiting for its hour.\u201d<\/p>\n<\/blockquote>\n

      Exactly. An approval granted to a compromised address or smart contract can hang around almost indefinitely. So the first thing to do when reconstructing activity on an account (wallet) is to check approvals. Where and how? I will set it out below.<\/p>\n

      We continue with the story: \u201cLast week information appeared that Binance would delist the original BUSD from Paxos by 15 December [2023], and on that occasion I decided to get rid of all centralised stablecoins. I swapped a large amount of USDT TRC-20 for bitcoin (successfully, it went up), BUSD BEP-20 remained on another wallet ($2640\u2014the entire amount). Then a colleague in [the city] needed [fiat currency] to a [bank] card, so I [faffed with] MetaMask and left the matter for later, deciding that, perhaps, I would exchange part of the BUSD BEP-20 for roubles at an [exchanger] and send it to the person. In general, in my mind BUSD I decided to spend on current business, since one must fundamentally get rid of CEX stablecoins. The motive is \u2018BUSD to go in full\u2026\u2019\u201d<\/p>\n

      Thus the funds lay in the wallet for some time, and the account was not actively used. And here is how it ended:<\/p>\n

      \n

      \u201cToday at night before going to sleep<\/strong> I think, should I swap in the [mobile wallet] BUSD for bitcoin so as not to shuttle it back and forth (I should have swapped). I refuse, I decide to transfer BUSD BEP-20 in full ($2640) to the seed in MetaMask to test [the exchanger]\u2026 and in general to get rid of it by spending. I perform the operation in the [mobile wallet] from one seed, make sure that to the second seed (which is in [the mobile wallet] and MetaMask) the tokens arrived in full, and fall asleep. And in the morning I see notifications in the mail from BscScan that the tokens were debited to a rogue address immediately after arrival by this transaction<\/a>\u2026 I wrote to you, and you found out that an approval a year old was lying in wait for its hour. It got it.\u201d<\/p>\n<\/blockquote>\n

      A sad story with a miserable outcome. But let us try to extract something positive.<\/p>\n

      1. A cold wallet and a hot one cannot live under a single MetaMask setup.<\/strong> Nor does it make sense to integrate a hardware wallet via a seed (except in emergency recovery). Integration between Trezor and MetaMask, however, is fine.<\/p>\n

      2. If you have not used a wallet for a long time, check approvals.<\/strong> Where? Via the links below (broadly, you can handle approvals via scanners or via specialised<\/a> services; here is a consolidated list):<\/p>\n