On October 14, Twitter user Masiwei reported a malicious code targeting friend.tech for account theft.
On October 17, a user of friend.tech named Double Wan tweeted that their assets on friend.tech were stolen. The SlowMist Security Team immediately assisted the victim in tracking and investigating the theft. Through the efforts of the SlowMist team and the cooperation of OKX, the stolen funds were successfully intercepted. Below, we will detail the process of phishing attacks by fake journalists, hoping to raise awareness and help everyone better guard against such scams.
In the digital world, one can easily fabricate their identity. The attacker masqueraded as a journalist from a well-known news agency and even had over ten thousand followers on Twitter.
The attacker would follow people you are following on Twitter. When you visit the attacker’s Twitter page and see some mutual follows, it creates the impression that they are a part of the same community.
After scheduling an interview, the attacker would guide you to join the interview on Telegram and even provide an interview outline.
And so, you diligently prepare based on the interview outline provided by the attacker and engage in a two-hour interview, listening to two “hosts” conversing back and forth. It all seems legitimate, as you anticipate the interview being published on a renowned news website.
The Moment of Attack
After the interview, the attacker asks you to fill out a form and open a phishing link they provide. The link, under the “Verify” section, includes detailed explanations on why and how to verify: To prevent impersonation, you must verify the ownership of your friend.tech account. Please follow the instructions below to complete the verification process. To verify your friend.tech account, drag the “Verify” button to your bookmark bar, then go to the friend.tech website and click on the bookmark to verify.
Our founder, Cos, also emphasized the severity of such attacks. If your independent password, i.e., the 2FA for friend.tech, is stolen, and you have set up information related to friend.tech and its embedded wallet Privy (including other relevant information in localStorage), then your private key plaintext can also be stolen. This means that your account is effectively rendered useless unless friend.tech is willing to provide you with a new private key and corresponding wallet address.
- Heighten awareness of social engineering attacks.
- Avoid clicking on unknown links.
- Learn basic methods to identify phishing links, such as checking for misspellings or extra punctuation in domain names, and ensuring they match official domains.
- Install anti-phishing plugins, as detailed in our previous public articles, like “How to Choose an Anti-Phishing Plugin.”
Social engineering attacks and phishing scams are constantly evolving. The victim in this incident, who was just practicing English speaking skills, ended up having all their funds on friend.tech stolen. While we might not be familiar with all these scams, we can significantly avoid phishing attacks by: not clicking unknown links; learning to identify phishing links; and maintaining skepticism and continuous verification for actions involving authorization or password input. Lastly, we recommend reading SlowMist’s “Blockchain Dark Forest Self-Rescue Manual” available at: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.