Background Information
Our investigation began in the early morning of May 16th, when I joined the official Discord server of a project via a link from their website. I received a captcha bot in a private message shortly after joining, asking me to perform a verification. This was standard practice with most captcha verifications, so we clicked on the link to verify.
After completing the verification, I was prompted by Metamask to enter my password. It appeared to be legitimate, but I noticed “about:blank” displayed in place of the address bar. This piqued my interest because, if triggered by the plug-in, there would be no “about:blank” URL bar.
Next, I put in a random password and inspected the elements. We discovered that this MetaMask interface was popped up by a fake website called “https://captcha.fm/," not the real wallet interface, so I started debugging this wallet.
After entering the password, the fake wallet brought me to the Security Check page and asked me to enter a mnemonic for verification. Note that the password and mnemonic you enter will be encrypted and sent to the server of the malicious site.
By analyzing the domain name, we discovered this malicious domain name captcha.fm belonged to 172.67.184.152 and 104.21.59.223. They are both hosted on cloudflare, so it can only be reported backhand.
Analysis of Malicious Accounts
After downloading and saving the source code from the malicious site, I sent the information to the project team and began to analyze the account of this phishing attack. Fake captcha bots send private messages to trick newly added users into handing over their password and mnemonic seed phrase.
We searched for other captcha accounts in the relevant channel and found that there were several other fake accounts. We immediately notified the project team, and they replied promptly. We assisted them in identifying the phishing accounts so they could be deleted and discussed potential preventative measures.
The next morning, a member of our team joined the official Discord server and got another private message. This time, they impersonated the official account to deliver phishing links.
This time, the scammers didn’t even bother to make a Metamask pop up. They designed a landing page where users enter their mnemonic phrase directly. It’s not particularly convincing.
The phishing website’s domain name and IP address are app.importvalidator.org 47.250.129.219, which belong to Alibaba Cloud’s services.
PREVENTIVE MEASURES
Scammers are constantly coming up with new phishing techniques to steal users funds. Users must stay proactive in identifying these phishing techniques in order to avoid being deceived. Projects must also promote security awareness within their communities.
For Users: Turn off private chat features in discord to avoid receiving phishing scams. Improve their security awareness and learn to identify phishing techniques disguised as MetaMask. Do not interact with a web page if you cannot determine if they are malicious or not. Do not enter your private keys /mnemonics any time or anywhere while participating in the Web3 project . Use hardware wallets as much as possible, as they cannot directly export mnemonic seed phrase or private keys directly.
For Project: Teams always pay attention to user comments, promptly delete malicious accounts from the community Discord server, and educate users on anti-phishing security when they first join the Discord server.
