Monday, January 30, 2023
  • Login
  • Register
  • About
  • Advertise
  • Contact
Web3 Domains℠
  • 🏠 Home
  • Web3 News
    • 📰 Technology
      The ENS Referral Protocol Post Cover

      The ENS Referral System: Adding an Affiliate Program to ENS Protocol

      What is the ENS Name Wrapper Post Graphic

      ENS Name Wrapper: Features, Benefits & Possibilities in Web3

      ENS Domains, Lost NFT Relics Post Graphics

      ENS Domains, Lost NFT Relics

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Integrations
      ENS Normalization Updates & Benefits

      ENS Normalization Updates & Benefits

      The ENS Referral Protocol Post Cover

      The ENS Referral System: Adding an Affiliate Program to ENS Protocol

      Using ENS With BTCPay Server (Guide)

      Using ENS With BTCPay Server (Guide)

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Culture
      ENS and Unstoppable Domains Comparisson

      ENS vs Unstoppable Domains

      Impulse Buying ENS Domains

      Impulse Buying ENS Domains

      Rebuilding Trust with Web3 Journalism

      Rebuilding Trust with Immutable-Web3 Journalism

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Ecosystem
      ENS Normalization Updates & Benefits

      ENS Normalization Updates & Benefits

      Lens Protocol Partners with ENS

      Lens Protocol Partners with ENS

      The ENS Referral Protocol Post Cover

      The ENS Referral System: Adding an Affiliate Program to ENS Protocol

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Name Sales
      The Mystery 👨.eth Wallet Post Cover

      Mystery of the “👨‍🦲.eth” Wallet

      Brands are Racing to Secure their ENS Names

      Brands Racing to Secure Their ENS Names!?

      SIGNVM Onboards Hublot into ENS Post Coveer

      SIGNVM Onboards Hublot into ENS

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Security
      #4 Web3 Security Practices Post Cover Graphics

      Web3 Security Best Practices: Part 4

      #3 Web3 Security Practices Post Cover Graphics

      Web3 Security Best Practices: Part 3

      #2 Web3 Security Practices Post Cover Graphic

      Web3 Security Best Practices: Part 2

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
  • Web3 Identity
    • Step 1️⃣ Mint or Buy Web3 Name
    • Step 2️⃣ Set Primary Usernames
    • Step 3️⃣ Set Avatar Profile-Pict
    • Step 4️⃣ Add Other Text Records
    • Step 5️⃣ Add Crypto Addresses
    • Step 6️⃣ Use IPFS/TOR Websites
  • Web3 Forums
    • 🔐 Security + Privacy Tips
    • 🛠 Web3 Tools/Resources
    • ⚖️ Web3 Law/Legal Topics
    • 🕸 ICANN/DNS as Web3
    • 🦾 SIWE + Integrations
    • ♣︎ Domain Name Clubs
  • Web3 Marketcap
    • 💵 $ENS Token
    • 💸 $ENS Charts
en_US English
en_US English es_ES Spanish fr_FR French zh_CN Chinese de_DE_formal German ar Arabic pl_PL Polish it_IT Italian pt_BR Portuguese
No Result
View All Result
Web3 Domains℠
  • 🏠 Home
  • Web3 News
    • 📰 Technology
      The ENS Referral Protocol Post Cover

      The ENS Referral System: Adding an Affiliate Program to ENS Protocol

      What is the ENS Name Wrapper Post Graphic

      ENS Name Wrapper: Features, Benefits & Possibilities in Web3

      ENS Domains, Lost NFT Relics Post Graphics

      ENS Domains, Lost NFT Relics

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Integrations
      ENS Normalization Updates & Benefits

      ENS Normalization Updates & Benefits

      The ENS Referral Protocol Post Cover

      The ENS Referral System: Adding an Affiliate Program to ENS Protocol

      Using ENS With BTCPay Server (Guide)

      Using ENS With BTCPay Server (Guide)

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Culture
      ENS and Unstoppable Domains Comparisson

      ENS vs Unstoppable Domains

      Impulse Buying ENS Domains

      Impulse Buying ENS Domains

      Rebuilding Trust with Web3 Journalism

      Rebuilding Trust with Immutable-Web3 Journalism

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Ecosystem
      ENS Normalization Updates & Benefits

      ENS Normalization Updates & Benefits

      Lens Protocol Partners with ENS

      Lens Protocol Partners with ENS

      The ENS Referral Protocol Post Cover

      The ENS Referral System: Adding an Affiliate Program to ENS Protocol

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Name Sales
      The Mystery 👨.eth Wallet Post Cover

      Mystery of the “👨‍🦲.eth” Wallet

      Brands are Racing to Secure their ENS Names

      Brands Racing to Secure Their ENS Names!?

      SIGNVM Onboards Hublot into ENS Post Coveer

      SIGNVM Onboards Hublot into ENS

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
    • 📰 Security
      #4 Web3 Security Practices Post Cover Graphics

      Web3 Security Best Practices: Part 4

      #3 Web3 Security Practices Post Cover Graphics

      Web3 Security Best Practices: Part 3

      #2 Web3 Security Practices Post Cover Graphic

      Web3 Security Best Practices: Part 2

      Trending Tags

      • Tips
      • Sales
      • Guides
      • Identity
      • Domains
      • 999 Club
  • Web3 Identity
    • Step 1️⃣ Mint or Buy Web3 Name
    • Step 2️⃣ Set Primary Usernames
    • Step 3️⃣ Set Avatar Profile-Pict
    • Step 4️⃣ Add Other Text Records
    • Step 5️⃣ Add Crypto Addresses
    • Step 6️⃣ Use IPFS/TOR Websites
  • Web3 Forums
    • 🔐 Security + Privacy Tips
    • 🛠 Web3 Tools/Resources
    • ⚖️ Web3 Law/Legal Topics
    • 🕸 ICANN/DNS as Web3
    • 🦾 SIWE + Integrations
    • ♣︎ Domain Name Clubs
  • Web3 Marketcap
    • 💵 $ENS Token
    • 💸 $ENS Charts
No Result
View All Result
Web3 Domains℠
No Result
View All Result
Home Security

Web3 Security Best Practices: Part 4

How To Avoid Common Hacks & Scams in Web3

PhoenixxDown.eth by PhoenixxDown.eth
September 1, 2022
in Security
Reading Time: 9 mins read
1 0
A A
Donate
0
#4 Web3 Security Practices Post Cover Graphics
Share via EmailShare on TwitterShare on LinkedInShare on FacebookScan for URL

In the final part of this beginner’s series on Web3 security, where we will cover the most “common types of hacks and scams”.

Armed with the foreknowledge of these dirty deeds – all of which are used against both newbies and seasoned veterans alike – you will have a much greater chance of detecting these nasty traps at first glance, and thus hopefully avoiding them altogether.

You can catch up on Web3 Security, Part 1, Web3 Security, Part 2 and Web3 Security, Part 3 via the highlighted links.

Fake Websites (Traditional Scams)

There are many fake versions of “commonly visited Web3-websites”. You can detect these by carefully examining BOTH the domain extension and domain URL that you’re visiting. For example, the official ENS Vision URL is ens.vision/tools, and there are many ways that a scam version of the URL may present itself: 

  1. may use a different TLD (IE .xyz, in replace of the TLD ‘.vision’), or
  2. may use a different TLD WITH Subdomain (IE ens.vision.com/tools, which uses the ‘.com’ TLD), or
  3. may use a number in the page name (ie: “/t00Is” uses number ’00’, in replace of the letters ‘oo’), or
  4. may use a capital letter in the page name (ie: “/tooIs” uses a capital letter ‘i’, in replace of the letter ‘L’).  

These fake sites may have a fake MetaMask-prompt where they will ask you for your password-or-seed-phrase at the ‘connect wallet’ stage. However, as this is not your genuine MetaMask extension, all password attempts will fail and you will be asked to recover your wallet by typing in your seed phrase. As we know, we never acquiesce to the request of typing our seed phrases.

However, it is also possible for the MetaMask-prompt to be real, and for the scam-website to trick you to authorize them to have access to your wallet. This would put your wallet at risk, even if you are using a hardware wallet.

Website Links Sent via DMs

A common tactic by scammers is to send bulk messages out to server members, often masquerading as the project itself, saying you have won a whitelist spot with them. They will attach a link to their scam website, which will often look very legitimate in appearance, saying you need to claim there. There are many incarnations, but some scammer will pretend to be someone you can trust, and then will try to trick you to click the link to their scam site. In reality, if you connect your wallet with that scam website, and you sign a transaction via your MetaMask after following that link, it will likely be a ‘Set Approval For All’ transaction which will allow the scammer to move any-or-all of your assets, from your wallet, to their own scammer wallet.

The strict rule of “Do Not Click Links” sent to you via Discord/Twitter DM (or from Anyone, Anywhere), which will protect you most of the time. All the same, always check the domain extension and full domain name of the URL, and any of the links that come across your screen (See Examples, Above). Truly, if you’re fresh into Web3 it’s advisable to just “Keep Discord DMs Switched Off” until you’ve found your feet a little.

Hacked or Scam Discord Servers

Unfortunately, the culture of FOMO (fear of missing out) and hyped launches have contributed to people disregarding safety measures temporarily and paying the price for it. If a Discord is hacked, a telltale sign is chat channels have been locked (ie: you’re unable to send a message in the General areas of the server).

Additionally, if the announcement channel is pushing a ‘surprise’ giveaway or mint (often copying and pasting the same message repeatedly) then this is a huge red flag telling you to stay clear and alert anyone you know that Discord is compromised. Much like the Discord DMs example, the hackers will push a fake link with the same consequences of your wallet being drained of its assets, should you proceed.

Never FOMO in and always double-check what you’re clicking. Again, “Always Check The Links” that come across you are going to click (See Examples, Above). If it’s a legitimate project, and you do miss out, then there will always be another opportunity. It only takes one mistake to end it all, and it is not worth the risk, but you can mitigate your risk if you “Do Not Connect Your ‘VAULT’ Wallets” to Discord or to any Website.

Social Engineering

Social engineering is arguably the number one cause of stolen assets in the Web3 space. So much so, that it likely requires its own focused article. You could have five Ledgers all stored in a fireproof safe, with their seed phrases protected by armed guards and placed in different locations around the world – and still, that would not save you from a social engineering scam.

The most common approach used by scammers is asking you to trade an asset in a private deal, with any one or more of the following occurring:

  • Being approached in a Discord DM by an unknown user to make a trade.
    • Not every instance of this happening is a scam, but the overwhelming majority is so.
    • It’s wise to check the post history of a user in the server before engaging.
      • You can do this by typing ‘ from:username ‘ in the server search bar.
      • A red flag would be if no results are returned.
    • If there are many messages, then still don’t take that as a green light – instead, ask inside the server if anyone can vouch for that user.
      • If they are legitimate, it’s likely someone would have interacted or traded with them previously.
  • Impersonating Moderators/Project Owners.
    • More recently, scammers have been scoping out servers for the Discord IDs of reputable community members, replicating them aesthetically via the display picture/name and using their clout to gain automatic trust with the victim.
      • They then begin to approach server members with another account looking to make a trade and use the impersonator account to act as an intermediary in the deal.
    • Moderators/Founders of projects will generally never contact you via DM, lest of all partake in private trade activity.
      • If you end up in a group DM with one and trade is being discussed, it’s 99% likely you’re talking to a fake ID of those trusted individuals.
  • Loaning or lending your crypto or NFT to someone.
    • Sadly, even people you have grown close to in the space can act out of character and betray your trust.
      • One recent example I witnessed: a trusted member of a community offered to act as an intermediary in a private swap deal.
      • They were to hold both assets and then distribute the funds/assets accordingly once both were received from the buyer and seller.
      • He disappeared shortly after taking everything with him. If it wasn’t for the scammer being so sloppy with his digital footprint being linked to his real ID, he never would have returned the stolen items – and this was only after an onslaught of pressure to track him down was made by fellow community members.
    • This was a person who knew his victim for almost a year; as sad as it is to say, the best way to avoid this is to never get involved in such a scenario in the first place.
      • As such, that rule can be applied to all of the above situations – be naturally paranoid when your assets are at stake.
  • Being asked to set the price to $0.
    • For self-explanatory reasons, this is never a great idea.
    • The scammer will pledge to do the same in order to make a straight asset-to-asset swap with no liquid funds involved.
    • The scammer will not follow through on their end, of course.
  • Other New Social Engineering Scams
    • There will always be new social engineering scams seeking to take advantage of users knowledge & emotions.
    • It will always involve someone pretending to be someone you trust, or setting-up a story for you to trust them.
      • Typically, it will play on your emotions of, such as your: compassion and empathy, or FOMO and greed.
    • It is important to always remain vigilant. With the advent of video deep-fakes, you can never be too careful.

Hackers Used #Deepfake
[of Binance CCO] to Scam.
Expect to see this everywhere.
There is a 'next gen' of scams/scammers;
They're seeking to attack individual-users, at scale.
Self-Custody Your Keys + Attack Vector Awareness. #Web3 #SIWE #ENS $ENS https://t.co/BfuAMUV7EU

— GaryPalmerJr.eth.limo 👁 2223.eth 🌱🐇 (@garypalmerjr) August 31, 2022

Scam and Phishing Emails

If you have your email address linked to your OpenSea account, be wary of any email which purportedly comes from them.

In June of this year, OpenSea had an email address database leak where an employee of one of their vendors misused their access to download and share OpenSea users’ addresses with an unauthorized 3rd party.

OpenSea DATA LEAK. I've just received this email from OS. So be careful out there if you receive communications from people pretending to be OpenSea's staff. 🙏🚨 pic.twitter.com/QP6erbE7xj

— jackasscrypto.ethᵍᵐ (@crypto_jackass) June 30, 2022

So with this in mind, it’s almost a certainty that those affected will be set to receive phishing emails for some time. If you ever receive an email from OpenSea, double-check the sender and ensure it is from the official OpenSea mailbox. A scam email will redirect to a fake website. I mitigate this by simply never clicking on anything within an OpenSea email. They can never get me this way!

Malicious Contracts & Airdrops

A malicious contract has code written into it that will grant the scammer (who is the owner of that contract access) access to drain your wallet of funds-and-assets.

If you’re not savvy with reading Web3 contracts, the best way to avoid this pitfall is to ask someone who is to examine it for potential issues. Alternatively, although not a perfect option, is to wait to see how others are affected after using it. Again, avoid FOMO as that’s where a lot of mistakes are made – especially with contracts by unknown developers or not from a highly reputable source.

Scammers, are relentlessly enterprising individuals, and scammers have branched out into airdropping Scam-NFTs to Web3 wallets.

They most target wallets that are holding high-value projects, such as BAYC, but anyone can be targeted. Despite the fact that the artwork on these airdrops is often “ugly”, which is bad enough in itself, but when interacting with these scam NFTs (ie: trying to sell them, or move them, to another wallet) will mean that you are interacting with a malicious contract, which could end-up with you risking all your assets to get stolen.

A recent common theme is a scammer will airdrop the NFT, and then make a large WETH offer on it. This is in order to tempt the potential victims into accepting the offer and thus interacting with the malicious contract. It a waste of time and a risk, as the WETH offer can never be completed, even if accepted, so it is an entirely fruitless and risky task.

Malware, Keylogging & Protection

As previously mentioned, be extra vigilant of the downloads you make, specifically if they originate from Twitter or Discord DMs. Unless you know and trust the person you are interacting with, downloading a link via an unsolicited DM has a terrible risk-to-reward rate.

Once live on your device, these malevolent downloads can sometimes grant a hacker remote access to your PC or install malware. On that note and as referenced in Part 1, purchasing some trusted software like MalwareBytes is a good investment and is regarded as the best antivirus protection software for a very affordable price of $30 per year.

Downloading an untrusted version of a program, such as LedgerLive, will fool you into a false sense of security by typing your seed-phrases into it. Additionally, these fake versions of programs have the ability to install malware on your device. Always check that the source of the download is legitimate using the advice given in Part 1 under the ‘Be selective with your browser extensions.’ bullet point.

In Conclusion

This concludes the series on Web3 Security Best Practices. Hopefully, these basic tips will have you all set to embark on a safe and highly prosperous journey into Web3!

Remember, being safe and careful will always require more time and effort, but it’s worth doing so. It only takes one mistake to wipe out years of hard work.

Take care!

Tags: AirdropsContractsDeepfakesDiscordDMsHacksKeyloggingMalwarePhishingScamsSecuritySocial EngineeringWalletsWeb3
SendTweetShareShareScan

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe
PhoenixxDown.eth

PhoenixxDown.eth

PhoenixxDown is a web3 enthusiast and investor, predominantly with an interest in NFTs and ENS technology. Phoenixx has been an avid writer since as long as he can remember, venturing into all forms of literacy expression from writing screenplays, to composing marketing copy for large brands, and most recently, information based articles for web3. He lives in London, and when not complaining about the weather, enjoys horse racing, saunas and raising his family.

Related Posts

#3 Web3 Security Practices Post Cover Graphics
Security

Web3 Security Best Practices: Part 3

by PhoenixxDown.eth
August 18, 2022
56
#2 Web3 Security Practices Post Cover Graphic
Security

Web3 Security Best Practices: Part 2

by PhoenixxDown.eth
August 17, 2022
29
#1 Web3 Security Practices Post Cover Graphic
Security

Web3 Security Best Practices: Part 1

by PhoenixxDown.eth
August 5, 2022
58

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Translate Website

en_US English
en_US English es_ES Spanish fr_FR French zh_CN Chinese de_DE_formal German ar Arabic pl_PL Polish it_IT Italian pt_BR Portuguese

Follow Us Across Social

Subscribe To Our Newsletter

*We won't sell your email or send spam.

Market Prices

  • BTC
  • USD
  • EUR
  • JPY
  • GBP
  • ethereum
    Ethereum(ETH)
    -0.80%
  • chainlink
    Chainlink(LINK)
    -5.12%
  • ethereum-name-service
    Ethereum Name Service(ENS)
    -5.79%

Search by Coins & Exchanges

Browse by Tag

999 Club API Audio Best Practices Brands Business Buying Clubs Community Considerations Contracts DNS Domains EIP-4361 Emoji Keycaps Emojis ENS Ethereum Guides Identity Interview IPFS Marketplace Minting Name Wrapper NFT Normalization Onboarding Podcast Rally Registrations Sales Searching Security SIWE Subdomains The Merge Tips TOR Twitter Spaces Updates Usernames Video Wallets Web3
The Original, Open Source, Hardware Wallets. The Original, Open Source, Hardware Wallets. The Original, Open Source, Hardware Wallets.

Search Website Articles

No Result
View All Result
Web3 Domains℠

Web3 Domains℠ creates content about decentralized domains, distributed websites, & Web3-usernames. Learn about Web3 security, & Web3 privacy.

Follow Us Across Social

Recent Posts

  • ENS Normalization Updates & Benefits
  • ENS vs Unstoppable Domains
  • Impulse Buying ENS Domains
  • Mystery of the “👨‍🦲.eth” Wallet
  • Lens Protocol Partners with ENS

Web3 Topics

  • Web3 Market Cap
  • $ENS Web3 Token
  • Name Showcase
  • Ecosystem
  • Name Sales
  • Security

Subscribe To Our Newsletter

*We won't sell your email or send spam.
  • About
  • Advertise
  • Contact

Web3 Domains℠ & Web3Domains.com © 2023 TechnoRealism, Inc., UCC § 1-308 | Privacy

No Result
View All Result
  • 🏠 Home
  • Technology
  • Integrations
  • Culture
  • Ecosystem
  • Name Sales
  • Security
  • Web3 Forums
    • Get Started w/ ENS
  • en_USEnglish
    • arArabic
    • zh_CNChinese
    • fr_FRFrench
    • de_DE_formalGerman
    • it_ITItalian
    • pl_PLPolish
    • es_ESSpanish
    • pt_BRPortuguese

Web3 Domains℠ & Web3Domains.com © 2023 TechnoRealism, Inc., UCC § 1-308 | Privacy

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

en_USEnglish
es_ESSpanish fr_FRFrench zh_CNChinese de_DE_formalGerman arArabic pl_PLPolish it_ITItalian pt_BRPortuguese en_USEnglish
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy & Cookie Policy.
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
-
00:00
00:00

Queue

Update Required Flash plugin
-
00:00
00:00
Go to mobile version