The SlowMist Security Team has recently received numerous reports of theft. Upon analyzing these incidents, we discovered that many thefts were caused by phishing comments posted under tweets from well-known project accounts!
Following this discovery, we conducted a targeted analysis and found that approximately 80% of comments on tweets from famous projects are occupied by phishing scam accounts. Given the high level of automation of these phishing groups and the generally low phishing awareness among the crypto community, this article aims to dissect the patterns of these phishing groups in the comment sections of well-known projects.
1. Scammers can now purchase Twitter Accounts. We observed numerous groups on Telegram involved in selling Twitter accounts. These accounts vary in terms of follower count, the number of posts, and registration dates, allowing buyers to choose according to their needs. Upon reviewing the group’s history, we found that most accounts sold are related to the cryptocurrency industry or are influencer accounts.
In addition to Telegram groups selling Twitter accounts, there are also dedicated websites for this purpose. These websites offer Twitter accounts from various years and support the purchase of specific, similar accounts. For instance, they sell accounts with usernames closely resembling legitimate ones, like a fake account “Optimlzm” mimicking the real “Optimism” account. Many of these websites also accept cryptocurrency as payments.
2. After acquiring an existing account, phishing groups use promotional tools to buy followers and interactions, increasing the account’s credibility. These tools, also supporting cryptocurrency payments, offer services like likes, shares, and follower boosts for major international social platforms. Buyers simply input the link they want to promote and the desired quantity.
According to the data on one such platform, it has processed over 1.3 million orders, with 20,000 people having used their services.
3. With these tools, the phishing group now has the resources they need to launch these scams. They then mimic the information in the account to resemble that of the legitimate project, making it difficult for some to distinguish between the two. These next steps are crucial for the phishing operation:
- Automated bots follow the activities of well-known projects.
- Once the project posts a tweet, the phishing group’s bot automatically comments first to ensure top placement and high visibility.
- Since the post being viewed is from the legitimate project, and the disguised phishing account looks very similar to the project’s account, it can cause users to lower their guards. Thus, leading to clicking on phishing links, like those offering airdrops from the fake account, and then authorizing or signing malicious transactions that can lead to losses.
On January 12th, the official Optimism Twitter account posted a tweet. The first comment under this tweet, which had high interaction, was from the phishing group, and included a link to the “official website.” However, the text portion of the link was actually a phishing link, as shown in the image below. On the same day, Our CISO @IM_23pds issued a warning on Twitter, urging users to be cautious of phishing accounts in project comment sections.
The phishing groups exploited Twitter’s name-changing mechanism. Users can modify their Twitter display name (Display Name), which does not alter their unique identifier on Twitter, known as the username (Handle), usually starting with an ‘@’ symbol. These fake accounts change their display names to match the official accounts, for instance, both being called “Optimism.” However, a careful examination reveals subtle differences in the usernames between the fake and official accounts. The fake account replaced the “is” in the official username with “lz”, a phishing technique that is commonly known in the industry.
We then used our on-chain tracking tool MistTrack to investigate the address 0xd02c75102ed941b26e318c0896c5b5aeb4ddc965. This address is linked to the individual selling Twitter accounts on Telegram, we discovered that the addresses transferring funds to this address have been marked by MistTrack as associated with malicious activities like phishing and theft. By double-clicking on these addresses, we traced even more malicious addresses, highlighting the extent of these operations.
1. Optimization of Anti-Phishing Plugins
In the blockchain industry, approximately 90% of NFT phishing incidents are related to fake domain names. Real-time alerts for these phishing domains are crucial. If a user opens a phishing page, relevant plugins and browsers can immediately signal the risk, eliminating the possibility of deceitful signature requests and stopping the risk at its inception.
2. Wallet Signature Verification and Interaction Safety Features
If a wallet has a feature to detect deceptive signatures and can accurately display the details of what the user is signing (like authorization specifics, amounts, and recipients in human-readable data), it can provide a clear view of the authorization details. This creates a final barrier, preventing users from falling into traps.
3. Develop Personal Security Awareness
All products, articles, and alerts are just aids. Building one’s own security awareness is key. Always double-check before clicking links, authorizing, or signing to avoid losing coins or being deceived.
This article delves into the tactics of phishing groups, particularly focusing on their activities within the comment sections of popular Twitter accounts. It’s designed to equip users with the knowledge to identify such deceptive practices, enhance their awareness, and safeguard their assets against potential theft.
For an in-depth understanding of security in the blockchain space, we highly recommend exploring the SlowMist’s comprehensive guide, “Blockchain Dark Forest Self-Guard Manual.” This valuable resource provides extensive insights and strategies for navigating the complex landscape of blockchain security. It’s accessible here:
GitHub - slowmist/Blockchain-dark-forest-selfguard-handbook: Blockchain dark forest selfguard…
Blockchain dark forest selfguard handbook. Master these, master the security of your cryptocurrency. - GitHub …
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.