Unveiling the Industrialization of Phishing Attacks in the Encryption World

Starting from June 2024, the security team has monitored a large number of similar phishing/fund depletion transactions, with an amount involved exceeding $55 million just in June. As we enter August and September, the activity of related phishing addresses has become more frequent, and phishing attacks are escalating. In the third quarter of 2024, phishing attacks have become the means of attack that causes the largest economic losses, with attackers obtaining over $243 million in 65 operations.

Analysis shows that the recent frequent phishing attacks are likely related to the notorious phishing tool team. This team had publicly announced its "retirement" at the end of 2023, but now seems to be active again, launching a series of large-scale attacks.

This article will analyze the methods used by typical phishing attack gangs and detail their behavioral characteristics to help users enhance their ability to recognize and prevent phishing scams.

Fraud as a Service Model

In the encryption world, certain teams have invented a new malicious model known as "scam as a service." This model bundles scam tools and services and offers them in a commodified manner to other criminals. From November 2022 to November 2023, during their first announcement to shut down the service, the total amount scammed exceeded $80 million.

These teams help buyers quickly launch attacks by providing ready-made phishing tools and infrastructure, including front-end and back-end phishing websites, smart contracts, and social media accounts. Phishers who purchase the services retain most of the loot, while the service-providing teams charge a commission of 10%-20%. This model significantly lowers the technical barrier for scams, making cybercrime more efficient and scalable, resulting in a proliferation of phishing attacks within the encryption industry, especially as users lacking security awareness are more likely to become targets.

How Fraud as a Service Operates

Before introducing this service model, we can first understand the workflow of a typical decentralized application (DApp). A typical DApp usually consists of a front-end interface (such as a web page or mobile application) and smart contracts on the blockchain. Users connect to the DApp's front-end interface through a blockchain wallet, which generates the corresponding blockchain transaction and sends it to the user's wallet. The user then uses the blockchain wallet to sign and approve the transaction. Once the signing is completed, the transaction is sent to the blockchain network and calls the corresponding smart contract to execute the required functions.

So, how do phishing attackers trick users into losing their funds? The answer lies in their design of malicious front-end interfaces and smart contracts, which cleverly entice users to perform unsafe actions. Attackers often guide users to click on malicious links or buttons, thereby deceiving them into approving some hidden malicious transactions, and in some cases, directly tricking users into revealing their private keys. Once users sign these malicious transactions or expose their private keys, attackers can easily transfer the users' assets to their own accounts.

Here are some of the most common means:

1. Counterfeiting well-known project front-ends: Attackers create seemingly legitimate front-end interfaces by meticulously imitating the official websites of well-known projects, leading users to mistakenly believe they are interacting with a trusted project, thereby lowering their guard, connecting their wallets, and performing unsafe operations.

2. Token airdrop scams: They heavily promote phishing websites on social media, claiming to have "free airdrops", "early presales", "free minting of NFTs", and other highly attractive opportunities, thereby enticing victims to click on links. Once victims are lured to the phishing website, they often unwittingly connect their wallets and approve malicious transactions.

3. Fake hacking incidents and reward scams: Cybercriminals claim that a well-known project has suffered a hacking attack or asset freeze, and is currently distributing compensation or rewards to users. They attract users to phishing websites through these false emergencies, tricking them into connecting their wallets and ultimately stealing user funds.

It can be said that phishing scams are not a new tactic; they have been quite common even before 2020. However, this service model has largely been the biggest driving force behind the escalating phishing scams in the past two years. Prior to the emergence of this model, phishing attackers needed to prepare on-chain startup funds, create front-end websites, and smart contracts for each attack. Although most of these phishing websites were poorly made, they could recreate new scam projects by using a set of templates and making simple modifications, the operation and maintenance of the website and page design still required a certain technical threshold. These tool providers have completely eliminated the technical barriers for phishing scams, offering services to buyers lacking the necessary skills to create and host phishing websites, and extracting profits from the scam proceeds.

Revealed: What Steps Are Needed to Create a Phishing Website?

After watching how these teams distribute the spoils, let's take a look at how easy it is for attackers to create a phishing site with the help of this service model.

The first step is to enter the provided communication channel, and with just a simple command, a free domain name and corresponding IP address are created.

Step two, choose one from the hundreds of templates provided by the robot, then enter the installation process. A few minutes later, a fairly convincing phishing website will be created.

Step three, find the victims. Once a victim enters the website, believes the fraudulent information on the page, and connects their wallet to approve a malicious transaction, the victim's assets will be transferred. With the help of such services, attackers can create a phishing website in just three steps, taking only a few minutes.

Summary and Insights

The return of this phishing tool undoubtedly poses a significant security risk for industry users, becoming one of the preferred tools for cybercriminals to carry out phishing attacks and fund theft due to its powerful features, covert attack methods, and extremely low cost of crime.

Users need to remain vigilant when participating in cryptocurrency trading and keep the following points in mind:

• There is no such thing as a free lunch: Do not believe any "pie falling from the sky" promotions, such as suspicious free airdrops or compensations. Only trust official websites or projects that have undergone professional auditing services.
• Always check the network connection: Before connecting your wallet to any website, carefully check the URL to see if it mimics well-known projects, and try to use WHOIS domain lookup tools to check its registration date. Websites with a very short registration period are likely to be fraudulent projects.
• Protecting Privacy Information: Do not submit your mnemonic phrase or private key to any suspicious websites or apps. Before signing any messages or approving transactions in the wallet, carefully check whether the transaction is a Permit or Approve transaction that may result in a loss of funds.
• Stay updated on scam information: Follow official social media accounts that regularly publish warning information. If you find that you have inadvertently authorized tokens to a scam address, promptly revoke the authorization or transfer any remaining assets to another secure address.