SlowMist: How to Choose an Anti-Phishing Plugin

SlowMist
15 min readFeb 23, 2023

Background

The idea of Bitcoin was first presented by Satoshi Nakamoto in November 2008, and it was officially launched in January 2009. As the global digital economy gained momentum, the notion of encrypted assets, such as NFTs, began to gain traction. Colored Coin, a token similar to NFTs, was developed in 2012 using small denominations of Bitcoin, with the minimum unit being one satoshi. With the continued advancement of technology, NFTs gained immense popularity in 2021 and gradually became one of the most popular investment trends in the market.

NFTs are currently fetching exorbitant prices, with examples such as “Everydays: The First 5000 Days” by Beeple selling for $69,346,250 on Christie’s official website and a virtual plot of land on the Sandbox virtual gaming platform selling for $4.3 million. As the craze persists, a wave of costly projects is keeping people on edge. However, this steep valuation has also attracted the notice of criminals, resulting in a rise in phishing and theft aimed at NFTs.

The Current State of NFTs

The opening narration of the Netflix documentary “Trust No One: The Hunt for the Crypto King” recounts the tale of the CEO of QuadrigaCX, the biggest cryptocurrency exchange in Canada, who passed away under puzzling circumstances, leaving behind $250 million in customer funds. Many of the concerned investors reject the official explanation, suspecting that the CEO’s alleged demise may have been part of a “Phoenix Scam,” in which he faked his death and ran away with their money.

The QuadrigaCX saga, however, is just one example of the many issues faced by the Web3 community. Theft is almost a routine occurrence in the NFT world that we are discussing today, and there are numerous high-profile cases to illustrate this fact:

On February 21, 2021, a phishing attack of the personal_sign type was perpetrated against an OpenSea user. As a result, 32 users signed a harmful transaction from the attacker, leading to the loss of various NFTs, including BAYC, Azuki, and close to a hundred others, with a value of $4.2 million at the time.

On April 29, 2022, a Bored Ape NFT belonging to Jay Chou was stolen, with a value of 3.2 million RMB.

On May 25, 2022, A Twitter user with the handle @0xLosingMoney reported that a user named @Dvincent_ had stolen 29 Moonbird NFTs, valued at over $700,000, by means of a phishing website named p2peers[.]io.

On June 28, 2022, Nickydooodles.eth, the creator of the Web3 initiative Metabergs, disclosed that his wallet had been hacked through a phishing attempt. The attacker made off with 17 ETH, which was approximately worth $21,077 at the time, as well as all of his NFT collections, including Goblintown NFT, Doodles NFT, Sandbox Land, and many others.

On November 1, 2022, the Discord channel of the KUMALEON initiative was breached, and nearly 111 NFTs belonging to the community were taken, which included BAYC #5313, ENS, ALIENFRENS, Art Blocks, and various other assets.

On December 31, 2021, Kramer, a user of Twitter, claimed that he fell victim to a phishing attack. He clicked on a link that seemed to belong to a legitimate NFT DApp, but in reality, it was a scam. The result was the loss of 16 of his NFTs, consisting of 8 Bored Apes, 7 Mutant Apes, and 1 Clonex, with a total worth of $1.9 million.

On January 15, 2023, the famous blogger @NFT_GOD suffered a severe loss when all of his accounts, cryptocurrencies, and NFTs were stolen. The theft occurred after he clicked on a phishing ad link on Google. The compromised accounts included Substack, Twitter, and various other platforms.

On January 26, 2023, Kevin Rose, the creator of the renowned NFT initiative Moonbirds, suffered a hacking incident that led to the loss of over 40 NFTs, which had a value of over $2 million.

On January 28, 2023, the official Twitter account of the famed NFT venture Azuki was compromised. As a result, its followers were directed to phishing links, which led to the theft of over 122 NFTs, valued at over $780,000.

On February 8, 2023, a victim lost more than $1.2 million in USDC to a long-running NFT phishing scam that was linked to a fraudulent address.

….

In response to the frequent and significant consequences of NFT theft, SlowMist Technology has released two specialized tracking analyses to address NFT phishing groups.

In light of the frequency and severity of NFT theft, SlowMist Technologies has published two targeted tracking analyses to combat NFT phishing groups. On December 24, 2022, SlowMist Technologies released the “Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users” worldwide. An APT group carried out widespread phishing attacks against NFT users within the encrypted ecosystem. The involved addresses have been flagged as high-risk phishing addresses by MistTrack, and the APT group managed to obtain 1,055 NFTs, resulting in a profit of almost 300 ETH.

According to MistTrack-related data statistics, SlowMist Technologies released “ Analysis of Monkey Drainer NFT Phishing Group” on February 10, 2023. The Monkey Drainer group made roughly $12.97 million through phishing, obtaining 7,059 NFTs and 4,695.91 ETH, which equated to $7.61 million and constituted 58.66% of the stolen funds. The profit from ERC20 tokens amounted to around $5.362 million, representing 41.34% of the stolen funds. The primary ERC20 token types included USDC, USDT, LINK, ENS, and stETH.

As of January 2023, hundreds of high-profile security breaches have resulted in the loss of almost $200 million worth of NFTs, according to data from SlowMist’s blockchain hacking event database (hacked.slowmist.io) and Elliptic.

https://hacked.slowmist.io/

SlowMist’s findings indicate that in 2022, NFT theft incidents were primarily centered around the Ethereum network and social media channels. Attackers employed a variety of techniques, including counterfeit domains, fake domain names that resembled project parties, malicious trojans, and phishing attacks through false links distributed via Discord intrusions. The average loss per phishing attack was around $100,000. It appears that hackers are the only ones benefiting, irrespective of whether the market is bullish or bearish.

Given the hostile environment of phishing and fraud, in which both regular users and project creators are frequent targets, what measures can NFT users take to protect themselves? Are users merely regarded as defenseless prey in these scenarios?

Absolutely not! We have been promoting a blend of human prevention and technical prevention measures, encompassing personal security awareness defense and technical defense tactics. Personal security awareness defense pertains to an individual’s security consciousness. We suggest that cryptocurrency users take a cue from the Blockchain Dark Forest Self-Defense Manual.

Given that humans are intricate, advanced beings, we will not delve into personal security awareness defense in-depth today. Instead, we strongly encourage everyone to carefully peruse the Blockchain Dark Forest Self-Defense Manual.

What do technical defense measures entail? In essence, it involves utilizing security measures such as software, hardware, and browser plug-ins to safeguard assets. Within the NFT user community, the most frequently used operational technique is browser interaction, accounting for 90%, and it is also the most susceptible environment. Currently, numerous anti-phishing browser plug-ins are available on the market. In the following section, we will scrutinize and contrast these plug-ins, with the hope of offering some security guidance to NFT users.

Security Plugin Comparison

Disclaimer: The ensuing evaluation of various browser security plug-ins is solely grounded on fundamental information, live phishing detection for NFTs, and basic operational comparisons. SlowMist is simply an impartial third party and does not accept any liability or legal responsibility.

Let us now compare multiple well-known anti-phishing browser plug-ins from various perspectives and examine their respective features:

  1. This will encompass parameters such as open-source availability, download counts, supported networks, and primary descriptions:

2. Real-time testing of NFT phishing websites and blacklists:

We looked for the most prevalent characteristics of North Korean APT NFT phishing and Monkey Drainer NFT phishing, conducted real-time feature scans, and detected the newest phishing websites of these groups, which were discovered roughly three hours apart. Let’s examine the responses provided by each anti-phishing plug-in:

The latest malicious NFT phishing website: https://blur.do (discovered on February 19, 2020, at 17:32:12 Beijing time)

The testing content is presented below:

1)PeckShieldAlert (Aegis)

Outcome: No alerts. The phishing website opens without issue.

2)Pocket Universe

Outcome: No alerts. The phishing website opens without issue.

3)Revoke.cash

Outcome: No alerts. The phishing website opens without issue.

4)Fire

Outcome: No alerts. The phishing website opens without issue.

5)Scam Sniffer

Outcome: The phishing website was identified, and access to the site was blocked with a warning.

6)Wallet Guard

Outcome: No alerts. The phishing website opens without issue.

7)MetaDock

Outcome: No alerts. The phishing website opens without issue.

8)Metashield

Outcome: No alerts. The phishing website opens without issue.

9)Stelo

Outcome: No alerts. The phishing website opens without issue.

To verify the real-time nature and authenticity of NFT phishing sites, the findings from nine installed plug-ins with a 3-hour time discrepancy are displayed below. (Please note that Wallet Guard has already been featured in the installed plug-ins.)

The aforementioned outcomes are actual and current NFT phishing site findings, taken around three hours apart.

3. Basic Content Operation Layer Test

1)PeckShieldAlert (Aegis)

Upon installation, users must manually enter a Token Contract to initiate detection. This approach fails to satisfy NFT users’ pressing demand for immediate identification of phishing sites. It is akin to an online malevolent contract scanning plug-in.

personal_sign blind sign test: No prompt.

2)Pocket Universe

Once installed, the plug-in commences detection only when the user initiates a transaction. As a result, it is unable to instantly notify users when they initially access an NFT phishing website. Let’s move on to the second step:

personal_sign blind sign test: The plug-in warns users when a high-risk address is identified based on the chain address and advises against signing, which is commendable and aligns with security plug-in expectations.

3)Revoke.cash

In the first step, the NFT phishing website remains unmarked. However, in the second step, when the user visits the phishing website, the risky address is identified based on the chain address, and a warning is issued against signing. This corresponds with security plug-in expectations.

4)Fire

In the first step, the NFT phishing website is not labeled. In the second step, when the user accesses the phishing website, the high-risk address is not identified based on the chain address, and there is no warning concerning signing risk. Nonetheless, Fire can present the legibility of the signature pre-execution content, which is quite beneficial.

personal_sign blind sign test: No prompt.

5)Scam Sniffer

Upon installation, when users access an NFT phishing website, they are instantly alerted with a warning, and entry to the site is prohibited. This conforms to security plug-in standards.

personal_sign blind sign test: Alerted with a warning.

6)Wallet Guard

Once installed, the plug-in initiates detection only when the user triggers a transaction. Consequently, it is unable to promptly alert the user when they first open an NFT phishing website. Let’s proceed to the second step:

personal_sign blind sign test: The plug-in prompts the user that the phishing website is marked (as identified by Wallet Guard’s malicious address library of Scam Sniffer), warns them against the risks, and advises against signing. This is still commendable and consistent with security plug-in standards.

7)MetaDock

Once installed, the plug-in fails to provide any prompts or warnings about the risk when users connect to a phishing website. It appears to function more as a plug-in that necessitates active submission of a scan, rather than an anti-phishing plug-in, which doesn’t satisfy security plug-in standards. It’s probable that MetaDock is not an anti-phishing plug-in, and users who are interested can verify this with the project team.

personal_sign blind sign test: No prompt.

8)Metashield

Like “MetaDock” and “PeckShieldAlert”, these plugins do not provide immediate prompts or warnings when users connect to a phishing website and are tricked into signing. Instead, users need to actively submit a scan for the plugin to detect any potential risks. This approach may not meet the expectations of a security plugin.

personal_sign blind sign test: No prompt.

9)Stelo

Once installed, the plugin fails to provide any warnings or prompts to the user when they connect to a phishing website and are tricked into signing.

personal_sign blind sign test: The malicious information prompt provided by the plugin is low risk, which doesn’t meet the expectations of a security plugin.

And that concludes our comparison.

Comparison Results

The comparison results are presented in the following image:

After conducting the comparison, it was found that most of the security plugins did not perform well in the first step of the recognition process, which involves recognizing the phishing website when the user first opens it. Only Scam Sniffer managed to recognize the latest NFT phishing website with a time difference of 3 hours. However, in the second step, when the user connects to the phishing website and performs dangerous operations such as eth_sign and personal_sign, Pocket Universe, Revoke.cash, and Wallet Guard provide security risk alerts.

However, this is only a basic comparison, and there may be further refinements and updates in the future.

The accompanying image includes the list of tested security plugins and their respective version numbers.

We want to extend our appreciation to Wu Shuo Blockchain for initiating this comparison, and to the outstanding project teams of the security plugins that underwent testing. Although their product positioning and comparison results may vary, there is always room for improvement, and their efforts have undoubtedly elevated the standards of blockchain security.

The recommended combinations are presented for reference purposes only and should not be considered as advice. These combinations may potentially offer improved security for users based on the current comparison results:

  1. Rabby wallet + Scam Sniffer
  2. Rabby wallet + Pocket Universe
  3. MetaMask + Pocket Universe
  4. MetaMask + Revoke.cash

After Thoughts

In the blockchain industry, the main risks for individual users in phishing attacks are related to domain names and signatures. Approximately 90% of NFT phishing scams are associated with fraudulent domain names. Therefore, it is crucial for users to check the risk level of their target addresses before engaging in any on-chain transactions. If browser security plugins or wallets can provide immediate alerts to users when they encounter a phishing page, then the risk can be blocked at the very first step, preventing any further harm to the user. Similarly, in the Web 2.0 era, a 360 antivirus solution could solve the problem of viruses attacking inexperienced users, but it couldn’t solve all malware problems, such as virus elimination and bypassing. The effectiveness of antivirus software is determined by how much it can reduce the time gap, increase the number of samples, and improve its accuracy. The recommended combinations provided are for reference only and should not be construed as advice.

The ability of an anti-phishing security plugin to quickly identify and alert users of the real-time situation of phishing sites at the very first step, as well as to provide fast feedback and identification of phishing websites, will determine its effectiveness in the blockchain and NFT industries. Failure to recognize these phishing domains due to time lag significantly increases the risk of users losing their assets.

Moving on to the second step, when the user interacts with the authorization link and signature process, the browser security plugin or wallet with phishing signature recognition should be able to identify and display the detailed information that the user is authorizing, such as the authorized cryptocurrency, amount, recipient, and other user-readable data. For example, Rabby Wallet can prompt the user of the risk to a certain extent and help avoid the situation of financial losses.

To enhance the security of wallet projects, project teams should start by conducting a comprehensive security audit, with a focus on improving the security of user interactions, strengthening the “What you see is what you sign” mechanism, and reducing the risk of phishing attacks for users.

Here are some examples of measures that project teams can take to enhance security:

  • Phishing Website Warning: One measure that can be taken is implementing a phishing website warning system that leverages the power of the blockchain community to identify and collect all types of phishing websites. This way, users can be provided with prominent reminders and alerts whenever they interact with these sites to reduce the risk of falling victim to phishing attacks.
  • Signature Identification and Alerts: It is important to implement signature identification and alerts for requests such as eth_sign, personal_sign, and signTypedData to notify users and draw their attention to the risks of blind signing with eth_sign.
  • What You See Is What You Sign: To avoid phishing approvals, it is important to perform a detailed analysis of contract calls in wallets and provide users with specific details of DApp transaction construction.
  • Pre-execution Mechanism: A pre-execution mechanism is useful in helping users understand the potential effects of a transaction before it is broadcast and executed. This allows users to make informed decisions and judgments about whether or not to proceed with the transaction, thereby enhancing their overall security.
  • Fraud Alerts for Identical Ending Digits: A mechanism can be set up to display addresses with an alert, reminding users to check the complete target address to avoid fraud problems with identical ending digits. Additionally, a whitelist address mechanism can be implemented for users to add commonly used addresses to the whitelist, which can prevent similar attacks with identical ending digits.
  • AML Compliance: Using AML mechanisms, users can be reminded whether the target address will trigger AML rules when making transfers

SlowMist, a prominent blockchain security company, has been deeply involved in security audits for many years. Security audits not only provide users with peace of mind but also serve as one of the means to reduce the occurrence of attacks. Moreover, different institutions face difficulty in identifying and associating money laundering groups across different organizations, presenting a significant challenge to anti-money laundering efforts. For project teams, blocking and preventing the transfer of funds to malicious addresses in a timely manner is also crucial. The MistTrack anti-money laundering tracking system has accumulated over 200 million address labels, which can identify various wallet addresses of major global trading platforms, including over 1,000 address entities, more than 100,000 threat intelligence data, and over 90 million risk addresses. Interested parties can contact SlowMist to access the API. In conclusion, SlowMist hopes that all parties will collaborate to make the blockchain ecosystem more secure.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.