SlowMist discovered that throughout 303 recorded blockchain safety incidents in 2022, practically a 3rd have been made up of phishing assaults, rug pulls and scams.
Blockchain safety agency SlowMist has highlighted 5 frequent phishing methods crypto scammers used on victims in 2022, together with malicious browser bookmarks, phony gross sales orders and trojan malware unfold on messaging app Discord.
It comes after the safety agency recorded a complete of 303 blockchain safety incidents within the 12 months, with 31.6% of those incidents brought on by phishing, rug pull or other scams, in response to a Jan. 9 SlowMist blockchain safety report.
Malicious browser bookmarks
One of many phishing methods makes use of bookmark managers, a characteristic in most trendy browsers.
SlowMist stated scammers have been exploiting these to in the end achieve entry to a challenge proprietor’s Discord account.
Throughout this course of, the scammer can steal a sufferer’s Discord Token (encryption of a Discord username and password) and thus achieve entry to their account, which permits them to submit pretend messages and hyperlinks to extra phishing scams posing because the sufferer.
‘Zero greenback buy’ NFT phishing
Out of 56 major NFT security breaches, 22 of these have been the results of phishing assaults, in response to SlowMist.
One of many extra fashionable strategies utilized by scammers methods victims into signing over NFTs for virtually nothing by way of a phony gross sales order.
As soon as the sufferer indicators the order, the scammer can then buy the person’s NFTs by way of a market at a worth decided by them.
“Sadly, it isn’t potential to deauthorize a stolen signature by way of websites like Revoke,” SlowMist wrote.
“Nonetheless, you possibly can deauthorize any earlier pending orders that you just had arrange, which may help mitigate the chance of phishing assaults and forestall the attacker from utilizing your signature.”
Computer virus foreign money theft
In keeping with SlowMist, the sort of assault often happens by way of non-public messages on Discord the place the attacker invitations victims to take part in testing a brand new challenge, then sends a program within the type of a compressed file that accommodates an executable file of about 800 MB.
After downloading this system, it would scan for information containing key phrases like “pockets” and add them to the attacker’s server.
“The newest model of RedLine Stealer additionally has the power to steal cryptocurrency, scanning for put in digital foreign money pockets info on the native laptop and importing it to a distant management machine,” stated SlowMist.
“Along with stealing cryptocurrency, RedLine Stealer may add and obtain information, execute instructions, and ship again periodic details about the contaminated laptop.”
‘Clean Test’ eth_sign phishing
This phishing assault permits scammers to make use of your non-public key to signal any transaction they select. After connecting your pockets to a rip-off web site, a signature software field might pop up with a pink warning from MetaMask.
After signing, attackers achieve entry to your signature, permitting them to can assemble any knowledge and ask you to signal it by way of eth_sign.
“This kind of phishing may be very complicated, particularly in the case of authorization,” stated the agency.
Similar ending quantity switch rip-off
For this rip-off, attackers airdrop small quantities of tokens, similar to .01 USDT or 0.001 USDT to victims typically with an analogous deal with, aside from the previous few digits within the hopes of tricking customers into unintentionally copying the incorrect deal with of their switch historical past.
The remainder of the 2022 report coated different blockchain safety incidents within the 12 months, together with contract vulnerabilities and personal key leakage.
There have been roughly 92 assaults utilizing contract vulnerabilities within the 12 months, totaling practically $1.1 billion in losses due to flaws in sensible contract design and hacked applications.
Non-public key theft then again accounted for roughly 6.6% of assaults and noticed no less than $762 million in losses, probably the most outstanding examples being the Ronin bridge and Harmony’s Horizon Bridge hacks.