Revealing the Industrialization of Phishing Attacks in the Encryption World

Since June 2024, the security team has detected a large number of similar phishing and fund extraction transactions. In June alone, the amount involved exceeded 55 million USD, and phishing activities became even more frequent in August and September. Throughout the third quarter of 2024, phishing attacks have become the attack method causing the greatest economic loss, with over 243 million USD obtained from 65 attack actions. Analysis shows that the recent frequent phishing attacks are likely related to a notorious phishing tool team. This team announced its "retirement" at the end of 2023, but now it seems to be active again, carrying out a series of large-scale attacks.

This article will analyze the typical methods used by some phishing attack groups and detail their behavioral characteristics. It is hoped that through this analysis, users will be able to improve their ability to identify and prevent phishing fraud.

诈骗即服务(Scam-as-a-Service)

In the encryption world, some phishing teams have invented a new malicious model called "Scam-as-a-Service"(Scam-as-a-Service). This model packages scam tools and services to provide them in a commoditized way to other criminals. During the period from November 2022 to November 2023, when they first announced the shutdown of the service, the amount scammed exceeded $80 million.

These service providers assist buyers in quickly launching attacks by offering ready-made phishing tools and infrastructure, including front-end and back-end phishing websites, smart contracts, and social media accounts. Phishers who purchase services retain most of the ill-gotten gains, while service providers charge a commission of 10%-20%. This model significantly lowers the technical barrier for scams, making cybercrime more efficient and scalable, resulting in a surge of phishing attacks within the encryption industry, particularly targeting users who lack security awareness.

How Fraud as a Service Works

A typical decentralized application ( DApp ) usually consists of a front-end interface and smart contracts on the blockchain. Users connect to the front-end interface of the DApp through a blockchain wallet, which generates the corresponding blockchain transaction and sends it to the user's wallet. The user then uses the blockchain wallet to sign and approve this transaction. Once signed, the transaction is sent to the blockchain network, invoking the corresponding smart contract to execute the required functions.

Phishing attackers cleverly induce users to perform unsafe operations by designing malicious front-end interfaces and smart contracts. Attackers often guide users to click on malicious links or buttons, deceiving them into approving some hidden malicious transactions, and in some cases, directly tricking users into revealing their private keys. Once users sign these malicious transactions or expose their private keys, attackers can easily transfer the users' assets to their own accounts.

Common methods include:

1. Counterfeiting well-known project frontends: Attackers create seemingly legitimate frontend interfaces by meticulously mimicking the official websites of well-known projects, leading users to mistakenly believe they are interacting with a trusted project.

2. Token airdrop scams: They heavily promote phishing websites on social media, claiming to have "free airdrops", "early presales", "free NFT minting" and other highly attractive opportunities to lure victims into clicking the links.

3. False hacking incidents and reward scams: Cybercriminals claim that a well-known project has been attacked by hackers or that assets are frozen, and are now distributing compensation or rewards to users.

The scam-as-a-service model is largely the biggest driving force behind the escalating phishing scams in the past two years. These service providers have completely eliminated the technical barriers for phishing scams, offering buyers who lack the necessary technology services to create and host phishing websites and taking a cut from the profits of the scams.

Fraud as a Service: The Distribution Method for Buyers

On May 21, 2024, a phishing tool provider publicly released a signature verification message on etherscan, announcing their return and creating a new Discord channel.

By analyzing the transactions of a phishing address with abnormal behavior, we discovered the following distribution pattern:

1. The service provider creates a contract using CREATE2. CREATE2 is an instruction in the Ethereum Virtual Machine used to create smart contracts, allowing the address of the contract to be calculated in advance based on the smart contract bytecode and a fixed salt.

2. Call the created contract to approve the victim's tokens to the phishing address (service buyer) and the loot address. The attacker uses various phishing methods to lead the victim to inadvertently sign a malicious Permit2 message.

3. Transfer the corresponding amount of tokens to the two profit-sharing addresses and the buyer's address to complete the profit-sharing.

It is worth noting that this method of creating a contract before distributing loot can somewhat bypass certain wallet anti-phishing features, further lowering the victim's vigilance. In a specific case, the buyer of phishing services took away 82.5% of the loot, while the service provider kept 17.5%.

Simple Steps to Create a Phishing Website

With the help of scam-as-a-service, it has become extremely easy for attackers to create a phishing site:

1. Enter the service provider's communication channel and create a free domain name and corresponding IP address with a simple command.

2. Choose one from the hundreds of templates provided, and within minutes, you can generate a seemingly normal phishing website.

3. Find the victims. Once a victim enters the website, believes the fraudulent information on the page, and connects their wallet to approve the malicious transaction, the victim's assets will be transferred.

The entire process takes only a few minutes, greatly lowering the threshold for phishing attacks.

Summary and Prevention Recommendations

The rise of fraud as a service has brought significant security risks to industry users. Users need to remain vigilant when participating in cryptocurrency transactions and keep the following points in mind:

• Do not believe in any "pie in the sky" promotions, such as suspicious free airdrops or compensations; only trust official websites or projects that have undergone professional audit services.
• Before connecting your wallet to any website, carefully check the URL to see if it mimics a well-known project, and try to use WHOIS domain lookup tools to check its registration date. Websites with a registration date that is too short are likely to be fraudulent projects.
• Do not submit your mnemonic phrase or private key to any suspicious websites or apps. Carefully check if the transaction may lead to a loss of funds before signing any messages or approving transactions in your wallet.
• Follow some official social media accounts that regularly post warning information. If you find that you have inadvertently authorized tokens to a scam address, promptly revoke the authorization or transfer the remaining assets to another safe address.