Beware of Phishing Attacks by Fake Journalists

SlowMist
4 min readNov 13, 2023

--

Background

On October 14, Twitter user Masiwei reported a malicious code targeting friend.tech for account theft.

https://twitter.com/0xmasiwei/status/1713188711243104467

According to the analysis by the SlowMist Security Team, the link sent by the attacker contained a malicious JavaScript script. The attacker would trick users into adding it as a bookmark, laying the groundwork for future malicious activities. Following this discovery, SlowMist issued a security warning on Twitter. The team had previously written an article about browser bookmark attacks, titled “SlowMist: Exposing How Malicious Browser Bookmarks Can Steal Your Discord Token.”

https://twitter.com/SlowMist_Team/status/1713168236483584018

On October 17, a user of friend.tech named Double Wan tweeted that their assets on friend.tech were stolen. The SlowMist Security Team immediately assisted the victim in tracking and investigating the theft. Through the efforts of the SlowMist team and the cooperation of OKX, the stolen funds were successfully intercepted. Below, we will detail the process of phishing attacks by fake journalists, hoping to raise awareness and help everyone better guard against such scams.

Attack Process

Disguising Identity

In the digital world, one can easily fabricate their identity. The attacker masqueraded as a journalist from a well-known news agency and even had over ten thousand followers on Twitter.

Targeting

The JavaScript malicious script was designed to attack friend.tech users. Naturally, the attacker chose Key Opinion Leaders (KOLs) as targets, who, due to their popularity, would find it reasonable to receive interview invitations.

The attacker would follow people you are following on Twitter. When you visit the attacker’s Twitter page and see some mutual follows, it creates the impression that they are a part of the same community.

Building Trust

After scheduling an interview, the attacker would guide you to join the interview on Telegram and even provide an interview outline.

https://twitter.com/iamdoublewan/status/1714127044358066310
https://twitter.com/0xmasiwei/status/1713188713742876739

And so, you diligently prepare based on the interview outline provided by the attacker and engage in a two-hour interview, listening to two “hosts” conversing back and forth. It all seems legitimate, as you anticipate the interview being published on a renowned news website.

The Moment of Attack

After the interview, the attacker asks you to fill out a form and open a phishing link they provide. The link, under the “Verify” section, includes detailed explanations on why and how to verify: To prevent impersonation, you must verify the ownership of your friend.tech account. Please follow the instructions below to complete the verification process. To verify your friend.tech account, drag the “Verify” button to your bookmark bar, then go to the friend.tech website and click on the bookmark to verify.

Once a user opens the bookmark containing the malicious JavaScript script on the friend.tech page, the malicious code is designed to deceive and steal the user’s password (i.e., friend.tech’s 2FA), as well as the tokens associated with the embedded wallet Privy used by the friend.tech account. This means that both the user’s friend.tech account and the related funds are at risk of being stolen.

https://twitter.com/evilcos/status/1713164067358294293
https://twitter.com/evilcos/status/1713164067358294293

Our founder, Cos, also emphasized the severity of such attacks. If your independent password, i.e., the 2FA for friend.tech, is stolen, and you have set up information related to friend.tech and its embedded wallet Privy (including other relevant information in localStorage), then your private key plaintext can also be stolen. This means that your account is effectively rendered useless unless friend.tech is willing to provide you with a new private key and corresponding wallet address.

https://twitter.com/evilcos/status/1714237137829458335

Preventive Measures

- Heighten awareness of social engineering attacks.

- Avoid clicking on unknown links.

- Learn basic methods to identify phishing links, such as checking for misspellings or extra punctuation in domain names, and ensuring they match official domains.

- Install anti-phishing plugins, as detailed in our previous public articles, like “How to Choose an Anti-Phishing Plugin.”

Summary

Social engineering attacks and phishing scams are constantly evolving. The victim in this incident, who was just practicing English speaking skills, ended up having all their funds on friend.tech stolen. While we might not be familiar with all these scams, we can significantly avoid phishing attacks by: not clicking unknown links; learning to identify phishing links; and maintaining skepticism and continuous verification for actions involving authorization or password input. Lastly, we recommend reading SlowMist’s “Blockchain Dark Forest Self-Rescue Manual” available at: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.