We have compiled for you the fraudulent activities and protection methods in the Web3 – playtoearn area.
The massive crowd supporting Web3, the popular domain of recent times, praises the security features of this domain, but in the background, Web3 domain is seen as an attractive region for hackers and scammers.
Fraud activities, large gains, investments or special advantages that occur in this area are described as investment fraud by the US Federal Trade Commission (FTC).
There is a report on the subject published by the Federal Trade Commission in June 2022. According to the report, as of 2021, more than $1 billion in cryptocurrency fraud activity has occurred. The FTC report includes the following statements regarding this issue:
“Almost half of people who reported losing their crypto to a scam since 2021 said it started with an ad, post or message on the social media platform.”
NFTs Are Targeted by Attackers
Although fraudulent activities are aimed at cryptocurrencies, NFTs have also become an increasingly popular target for scammers. A report published by Web3 cyber security firm TRM Labs on this subject seems to include some details. For example, in last May and the two months that followed, the NFT community lost approximately $22 million to fraud and phishing attacks.
Attackers specifically target high-value NFT collections. For example, approved projects such as one of the popular collections, the Bored Ape Yacht Club (BAYC), are seen as a worthy target. In fact, in April 2022, the BAYC Instagram account was hacked by scammers who directed users to a site to steal cryptocurrencies and NFTs from Ethereum wallets. After this attempt, 91 NFTs with a total value of over $2.8 million were stolen. In yet another attack, 200 ETH worth of NFT was stolen from users with a redirect via Discord.
Of course, since the target of scammers is NFTs with high value, the wealthy audience who owns them was also affected by this situation. For example, on May 17, actor and producer Seth Green announced that four of his NFTs had been stolen, including his Bored Ape #8398 NFT.
Making a new statement after the incident, Green stated that he got his stolen NFT back by paying 165 ETH from another user who bought it.
Güvenlik Şirketleri İzlemede
Web3 alanında artan bu dolandırıcılık faaliyetleri birçok güvenlik firmasını da harekete geçirmiş durumda. Bu konuda açıklama yapan, siber güvenlik firması Halborn’da güvenlik mühendisi olan Luis Lubeck, kimlik avı saldırılarının halen ilk saldırı vektörü olduğunu dile getirdi. Lubeck, açıklamasında, kullanıcıların cüzdan kimlik bilgileri, klonlanmış bağlantılar, sahte projeler ve sahte web sitelerinden haberdar olmaları gerektiğini söylüyor.
Lubeck’e göre kimlik avı dolandırıcılığı, sosyal mühendislikle başlıyor. Yani saldırgan hedeflediği kitle / kişiye erken bir token alma fırsatı veya paralarının 100 katına çıkacağını belirten mesajlar gönderiyor. Ardından da onlara gönderdikleri sahte linkler ile çeşitli yönlendirmeler yapıyor. Saldırganın mesajını, elde ettiği bir fırsat olarak gören ve bunu kaçırmak istemeyen bazı kullanıcılar da bu tuzağa düşebiliyor. Yani bir nevi FOMO’ya kapılıyor.
İşte daha önce bu mağduriyeti yaşayan Green’in durumu da benzer bir girişim ile gerçekleşmiş durumda. Yani saldırganlar, yaptığı kimlik avı saldırısını klonlanmış bir bağlantı yoluyla Green’e göndererek onun hesabını ele geçirdi.
In his statement, Green states that he made a mistake by clicking on the link that turned out to be a phishing website. As a result, Green entered the phishing website that came to him, and when he linked his wallet to this site, he gave the hackers access to his private keys and, in turn, Bored Apes NFTs.
Types of Cyber Attacks
There are many types of attacks that take place in the digital space. Although there is not a single list of the types of these attacks that negatively affect users, there are some known methods. Now let’s examine them in a few items.
1- Phishing Attacks: Phishing attacks are one of the known and most widely used types of cyber attacks. In this attack method, users usually receive notifications in the form of e-mail. These messages, which seem to come from a known brand or platform, direct users to other sites.
When users click on this link and make a wallet connection, the system enters the phase. Thus, the attacker can easily steal cryptocurrencies or NFTs in the user’s browser-based wallet. The important point here is that users should do the necessary checks without clicking on these links immediately.
2- Malware: This type of attack is also one of the commonly used methods. Malware takes the form of taking control by transferring all harmful programs or code to users’ systems. As a method, phishing emails, texts and messages sent to the user are used.
3- Hijacked Websites: In this type of attack, users think that they are entering a legitimate website, and actually enter the site that has been seized by criminals. Here, when users click on a link, image or file on these websites, they download malicious software to their devices.
4- URL Spoofing: In this method, fake websites are created by cloning legitimate websites. Users should unlink these compromised websites and should not take any action on the site. Also known as URL Phishing, these sites can collect users’ names, passwords, credit cards, cryptocurrencies, and other personal information.
5- Fake Browser Extensions: As the name suggests, this attack method directs crypto users to enter their credentials or keys into an extension that allows cybercriminals to access data. For this, fake browser extensions are used.
These attacks are usually aimed at accessing, stealing and destroying sensitive information or, like Green’s, wallet data.
So How Do We Protect From Attacks?
There are several ways to protect yourself from all these attacks. In fact, the most important thing to do here is to be a little careful. Lubeck, a security engineer, says the best way to protect users from phishing attacks is to never reply to an email, SMS, Telegram link or WhatsApp message from an unknown person, company or account. Lubeck reinforces this with the following sentence:
“I will go further than that. The user should never enter any credentials or personal information unless he/she has initiated the communication.”
Another suggestion is; You should not enter your credentials or personal information when using public or shared WiFi connections.
How Should We Store Our Cryptocurrencies and NFTs?
There are several ways to protect the cryptocurrencies and NFTs we own. Chief among these is using an external hardware or wallet to store digital assets whenever possible. These devices, known as “cold wallets” in the crypto money market, are active only when users want to use them.
In other words, your assets are safe as there is no internet access. While browser-based wallets such as MetaMask, which are now widely used, are convenient and fast, keep in mind that anything connected to the internet has the potential to be hacked.
If you are using a mobile, browser or desktop wallet, also known as a “hot wallet”, download them from official platforms such as the Google Play Store, Apple’s App Store or verified websites. Never download from links sent via text or email. Although malicious apps can get into official stores, it is safer than using links. Of course, after doing these transactions, that is, contacting a site, make sure to disconnect the wallet from the website.
Especially do not share private keys, recovery words and passwords of hot wallets with anyone. Because recently, some attackers are asking for this information to reach the user’s information. As it is known, the airdrop distribution frenzy of newly released projects has started recently.
Taking advantage of this opportunity, scammers started using fake projects and sites they created to defraud users who were caught in the airdrop FOMO. Therefore, only link your wallets to sites that are safe and that you research. If someone asks you to share this information in order to participate in any investment, airdrop or cryptocurrency transaction, rest assured that it is highly likely a fraudulent activity.
As a result, only invest in projects that you understand and trust. If you are unsure of its safety and accuracy, you should do more research. To continue to keep your assets safe, it’s in your best interest to be careful and do more research.