COMMON TRENDS WITH PHISHING IN WEB3

Ohm Shah
Co-Founder at Wallet Guard

Common Trends with Phishing in Web3

In this article we will go over some of the variables the Wallet Guard team has observed as commonalties amongst phishing attempts!
  • Link Unfurling Attacks
  • Using Special Characters & Similar URLS
  • DNS Record Changes
  • Recent Registrations

1. Link Unfurling Attacks

Threat actors can abuse Twitter/X link preview cards to make their scams more believable. Twitter/X will show a different website than where you will actually end up, thus tricking most people. Discord also allows users to mask a link, but will show a warning before you visit with the link that you are actually visiting.

Wallet Guard will warn you if you are about to interact with a wallet drainer or malicious website.

2. Special Characters & Similar URLS

Special characters (homoglyphs) can be used in URLs in order to trick people into thinking they are clicking on a real link. For example, "opensea.io" and "openséa.io" look similar at first glance, but the "e" is using a special character in the second link.

Many common phishing campaigns tend to use URLs similar (fuzzy URLs) to the official sites. For example, "openseaa.io" instead of "opensea.io" or "open-sea.io" instead of "opensea.io".

Wallet Guard will warn you if you are visiting a scam link that is attempting to appear like the real counterpart.

3. DNS Record Changes

🔎 DNS Records for scams tend to be created within 3 weeks of it being spread.

🔎 When a DNS is hijacked like with polygon-rpc the ‘Updated’ field in the record is changed.

Wallet Guard automatically checks DNS records and alerts you.

4. Recent Registrations

Most scam websites are registered, spun up, and taken down within a 24 to 48 hour period. Public WHOIS information lets you see when a domain was registered.

For example, if the website for a project you are about to visit is claiming they have been in development for months, but the website was created literally yesterday, that is a massive red flag and most likely a scam.

You can check public WHOIS information for websites by going to WHO.IS which references a public database of registration records.

Wallet Guard will notify you if the website you are dealing with was recently registered or created.

Key Takeaways

  • Links are not always as they seem
  • Recently created websites/modified DNS records should be red flags
  • Be alert of similar spelling or special characters in URLs
  • Check out the Wallet Guard Academy for more educational content to stay safe

Wallet Guard

Wallet Guard detects wallet drainers, scams, phishing websites and bad signatures before they interact with your wallet of choice. It's a free open-source browser extension that is already helping secure over 50,000 wallets. Add it to your browser!

Protect Your Crypto - Wallet Guard

Published on
September 26, 2023

Related Articles

All articles