Web3 Security Best Practices: Part 4

Armed with the foreknowledge of these dirty deeds – all of which are used against both newbies and seasoned veterans alike – you will have a much greater chance of detecting these nasty traps at first glance, and thus hopefully avoiding them altogether.

You can catch up on Web3 Security, Part 1, Web3 Security, Part 2 and Web3 Security, Part 3 via the highlighted links.

Fake Websites (Traditional Scams)

There are many fake versions of “commonly visited Web3-websites”. You can detect these by carefully examining BOTH the domain extension and domain URL that you’re visiting. For example, the official ENS Vision URL is ens.vision/tools, and there are many ways that a scam version of the URL may present itself: 

1. may use a different TLD (IE .xyz, in replace of the TLD ‘.vision’), or
2. may use a different TLD WITH Subdomain (IE ens.vision.com/tools, which uses the ‘.com’ TLD), or
3. may use a number in the page name (ie: “/t00Is” uses number ’00’, in replace of the letters ‘oo’), or
4. may use a capital letter in the page name (ie: “/tooIs” uses a capital letter ‘i’, in replace of the letter ‘L’).  

These fake sites may have a fake MetaMask-prompt where they will ask you for your password-or-seed-phrase at the ‘connect wallet’ stage. However, as this is not your genuine MetaMask extension, all password attempts will fail and you will be asked to recover your wallet by typing in your seed phrase. As we know, we never acquiesce to the request of typing our seed phrases.

However, it is also possible for the MetaMask-prompt to be real, and for the scam-website to trick you to authorize them to have access to your wallet. This would put your wallet at risk, even if you are using a hardware wallet.

Website Links Sent via DMs

A common tactic by scammers is to send bulk messages out to server members, often masquerading as the project itself, saying you have won a whitelist spot with them. They will attach a link to their scam website, which will often look very legitimate in appearance, saying you need to claim there. There are many incarnations, but some scammer will pretend to be someone you can trust, and then will try to trick you to click the link to their scam site. In reality, if you connect your wallet with that scam website, and you sign a transaction via your MetaMask after following that link, it will likely be a ‘Set Approval For All’ transaction which will allow the scammer to move any-or-all of your assets, from your wallet, to their own scammer wallet.

The strict rule of “Do Not Click Links” sent to you via Discord/Twitter DM (or from Anyone, Anywhere), which will protect you most of the time. All the same, always check the domain extension and full domain name of the URL, and any of the links that come across your screen (See Examples, Above). Truly, if you’re fresh into Web3 it’s advisable to just “Keep Discord DMs Switched Off” until you’ve found your feet a little.

Hacked or Scam Discord Servers

Unfortunately, the culture of FOMO (fear of missing out) and hyped launches have contributed to people disregarding safety measures temporarily and paying the price for it. If a Discord is hacked, a telltale sign is chat channels have been locked (ie: you’re unable to send a message in the General areas of the server).

Additionally, if the announcement channel is pushing a ‘surprise’ giveaway or mint (often copying and pasting the same message repeatedly) then this is a huge red flag telling you to stay clear and alert anyone you know that Discord is compromised. Much like the Discord DMs example, the hackers will push a fake link with the same consequences of your wallet being drained of its assets, should you proceed.

Never FOMO in and always double-check what you’re clicking. Again, “Always Check The Links” that come across you are going to click (See Examples, Above). If it’s a legitimate project, and you do miss out, then there will always be another opportunity. It only takes one mistake to end it all, and it is not worth the risk, but you can mitigate your risk if you “Do Not Connect Your ‘VAULT’ Wallets” to Discord or to any Website.

Social Engineering

Social engineering is arguably the number one cause of stolen assets in the Web3 space. So much so, that it likely requires its own focused article. You could have five Ledgers all stored in a fireproof safe, with their seed phrases protected by armed guards and placed in different locations around the world – and still, that would not save you from a social engineering scam.

The most common approach used by scammers is asking you to trade an asset in a private deal, with any one or more of the following occurring:

• Being approached in a Discord DM by an unknown user to make a trade.
  • Not every instance of this happening is a scam, but the overwhelming majority is so.
  • It’s wise to check the post history of a user in the server before engaging.
    • You can do this by typing ‘ from:username ‘ in the server search bar.
    • A red flag would be if no results are returned.
  • If there are many messages, then still don’t take that as a green light – instead, ask inside the server if anyone can vouch for that user.
    • If they are legitimate, it’s likely someone would have interacted or traded with them previously.
• Impersonating Moderators/Project Owners.
  • More recently, scammers have been scoping out servers for the Discord IDs of reputable community members, replicating them aesthetically via the display picture/name and using their clout to gain automatic trust with the victim.
    • They then begin to approach server members with another account looking to make a trade and use the impersonator account to act as an intermediary in the deal.
  • Moderators/Founders of projects will generally never contact you via DM, lest of all partake in private trade activity.
    • If you end up in a group DM with one and trade is being discussed, it’s 99% likely you’re talking to a fake ID of those trusted individuals.
      
• Loaning or lending your crypto or NFT to someone.
  • Sadly, even people you have grown close to in the space can act out of character and betray your trust.
    • One recent example I witnessed: a trusted member of a community offered to act as an intermediary in a private swap deal.
    • They were to hold both assets and then distribute the funds/assets accordingly once both were received from the buyer and seller.
    • He disappeared shortly after taking everything with him. If it wasn’t for the scammer being so sloppy with his digital footprint being linked to his real ID, he never would have returned the stolen items – and this was only after an onslaught of pressure to track him down was made by fellow community members.
  • This was a person who knew his victim for almost a year; as sad as it is to say, the best way to avoid this is to never get involved in such a scenario in the first place.
    • As such, that rule can be applied to all of the above situations – be naturally paranoid when your assets are at stake.
• Being asked to set the price to $0.
  • For self-explanatory reasons, this is never a great idea.
  • The scammer will pledge to do the same in order to make a straight asset-to-asset swap with no liquid funds involved.
  • The scammer will not follow through on their end, of course.
• Other New Social Engineering Scams
  • There will always be new social engineering scams seeking to take advantage of users knowledge & emotions.
  • It will always involve someone pretending to be someone you trust, or setting-up a story for you to trust them.
    • Typically, it will play on your emotions of, such as your: compassion and empathy, or FOMO and greed.
  • It is important to always remain vigilant. With the advent of video deep-fakes, you can never be too careful.

Hackers Used #Deepfake
[of Binance CCO] to Scam.
Expect to see this everywhere.
There is a 'next gen' of scams/scammers;
They're seeking to attack individual-users, at scale.
Self-Custody Your Keys + Attack Vector Awareness. #Web3 #SIWE #ENS $ENS https://t.co/BfuAMUV7EU

— GaryPalmerJr.eth.limo 👁 2223.eth 🌱🐇 (@garypalmerjr) August 31, 2022

Scam and Phishing Emails

If you have your email address linked to your OpenSea account, be wary of any email which purportedly comes from them.

In June of this year, OpenSea had an email address database leak where an employee of one of their vendors misused their access to download and share OpenSea users’ addresses with an unauthorized 3rd party.

OpenSea DATA LEAK. I've just received this email from OS. So be careful out there if you receive communications from people pretending to be OpenSea's staff. 🙏🚨 pic.twitter.com/QP6erbE7xj

— jackasscrypto.ethᵍᵐ (@crypto_jackass) June 30, 2022

So with this in mind, it’s almost a certainty that those affected will be set to receive phishing emails for some time. If you ever receive an email from OpenSea, double-check the sender and ensure it is from the official OpenSea mailbox. A scam email will redirect to a fake website. I mitigate this by simply never clicking on anything within an OpenSea email. They can never get me this way!

Malicious Contracts & Airdrops

A malicious contract has code written into it that will grant the scammer (who is the owner of that contract access) access to drain your wallet of funds-and-assets.

If you’re not savvy with reading Web3 contracts, the best way to avoid this pitfall is to ask someone who is to examine it for potential issues. Alternatively, although not a perfect option, is to wait to see how others are affected after using it. Again, avoid FOMO as that’s where a lot of mistakes are made – especially with contracts by unknown developers or not from a highly reputable source.

Scammers, are relentlessly enterprising individuals, and scammers have branched out into airdropping Scam-NFTs to Web3 wallets.

They most target wallets that are holding high-value projects, such as BAYC, but anyone can be targeted. Despite the fact that the artwork on these airdrops is often “ugly”, which is bad enough in itself, but when interacting with these scam NFTs (ie: trying to sell them, or move them, to another wallet) will mean that you are interacting with a malicious contract, which could end-up with you risking all your assets to get stolen.

A recent common theme is a scammer will airdrop the NFT, and then make a large WETH offer on it. This is in order to tempt the potential victims into accepting the offer and thus interacting with the malicious contract. It a waste of time and a risk, as the WETH offer can never be completed, even if accepted, so it is an entirely fruitless and risky task.

Malware, Keylogging & Protection

As previously mentioned, be extra vigilant of the downloads you make, specifically if they originate from Twitter or Discord DMs. Unless you know and trust the person you are interacting with, downloading a link via an unsolicited DM has a terrible risk-to-reward rate.

Once live on your device, these malevolent downloads can sometimes grant a hacker remote access to your PC or install malware. On that note and as referenced in Part 1, purchasing some trusted software like MalwareBytes is a good investment and is regarded as the best antivirus protection software for a very affordable price of $30 per year.

Downloading an untrusted version of a program, such as LedgerLive, will fool you into a false sense of security by typing your seed-phrases into it. Additionally, these fake versions of programs have the ability to install malware on your device. Always check that the source of the download is legitimate using the advice given in Part 1 under the ‘Be selective with your browser extensions.’ bullet point.

In Conclusion

This concludes the series on Web3 Security Best Practices. Hopefully, these basic tips will have you all set to embark on a safe and highly prosperous journey into Web3!

Remember, being safe and careful will always require more time and effort, but it’s worth doing so. It only takes one mistake to wipe out years of hard work.

Take care!