Cybersecurity firm CertiK warns the cryptocurrency community about a rising trend in Web3 phishing. This tactic involves setting "traps" for victims on platforms widely considered trustworthy to compromise users' assets by directly acquiring private keys or mnemonic phrases.
This newly identified form of phishing strategically deploys traps on influential platforms such as cryptocurrency exchanges and NFT marketplaces. The phishing content usually involves deceptive web3 project job ads, enticing airdrops, and fabricated NFT sales, leading users to phishing sites and compromising their credentials.
While the Web3 trap phishing approach bears a resemblance to traditional scamming strategies, the level of social engineering aimed at building trust in potential victims is even greater.
According to CeriK, in the traditional method, criminals often entice users to download a malicious program by falsely advertising it as a useful application. For instance, they may pose as a game development team promoting a game client, all while concealing the fact that the promoted link contains an executable file. This type of scam is commonly distributed through popular social networks, including X, Telegram, Discord, and others.
Fraudsters not only post malicious links on their official websites but also distribute additional materials containing these URLs. For example, as described by CertiK, one of the phishing teams "has gone to the extent of posting false job recruitment information." Blockchain security experts emphasize that "even in the job descriptions, they continue attempting to lure users into visiting the phishing site and downloading malicious programs."
Web3 trap phishing employs a more deliberate method to make the distribution of its malicious links appear even more natural. While this strategy may reach a smaller group of potential victims, it makes the scam less suspicious to many crypto users. In this phishing scam, trustworthy platforms like cryptocurrency exchanges and NFT marketplaces become the means for distributing malicious links.
As an example, CertiK describes the issuance of an entire NFT collection called "Astration" by the same scammers who disguised their malware as a game client.
"Taking OpenSea as an example, searching for the NFT keyword 'Astration' on OpenSea yields the corresponding NFT collection," CertiK explains, adding that "In this collection, the provided official website address redirects users to a phishing site," which contains the same fake game client.
CertiK has analyzed the malware code and identified several functions responsible for stealing wallet credentials. One of these functions "employs osascript [a command-line utility] to generate deceptive pop-up windows to trick users into disclosing their passwords," while others are capable of "traversing and reading the contents of all files based on different directories where browsers and wallet apps store data."
Additionally, there is a function dedicated to transmitting the stolen data back to the server.
CertiK emphasizes that the proliferation of increasingly sophisticated phishing techniques should be taken seriously by reputable Web3 platforms. These platforms "must fortify their systems through enhanced product background checks and more comprehensive risk warnings during product listings."
Meanwhile, the team behind one of the leading cryptocurrency data aggregators, CoinGecko, fell prey to scammers spreading malware through fake Calendly links.
"Despite having 2FA enabled and implementing robust security measures, one of our team members clicked on a fraudulent Calendly link by accident, granting unauthorized app access to a hacker who then posted on our behalf," CoinGecko posted today. Fortunately, according to the team, both of its accounts, CoinGecko and GeckoTerminal, have been successfully secured.
Another cybersecurity team, SlowMist, warned the Web3 community about the emergence of phishing attacks utilizing Calendly last November.