Do not click on unknown links and do not approve any signature requests on unknown sites.
According to SlowMist area intelligence, the following NFT phishing websites were found:
Let’s first analyze the phishing website 1:
After entering the website to connect to the wallet, the signature box pops up immediately, and when I try to click the button other than the signature, there is no response. It seems that there is only a picture display.
Let’s first look at the signature content:
- Maker: User address
- Exchange: 0x7f268357A8c2552623316e2562D90e642bB538E5, the query shows that it is the OpenSea V2 contract address.
It can be seen that this is a sales order that deceives the user to sign the NFT. The NFT is held by the user. Once the user signs the order, the scammer can directly purchase the user’s NFT through OpenSea, but the price of the purchase is determined by the scammer. That is to say, scammers can “buy” users’ NFTs without spending any funds.
In addition, the signature itself is stored for the attacker, and the validity of the signature cannot be discarded by canceling the authorization through websites such as Revoke.Cash or Etherscan, but you can cancel the authorization of your previous pending order, which can also avoid this phishing risk from the root.
Looking at the source code, I found that this phishing site uses the HTTrack tool directly to clone the c-01nft.io site (the real site). Comparing the codes of the two sites, it is found that the phishing website has the following content:
Looking at this JS file, I found another phishing site https://polarbears.in.
In the same way, https://polarbearsnft.com/ (the real site) was reproduced using HTTrack, and again, there was only one static image set.
Following the link in the picture above, we came to https://thedoodles.site, another phishing site using HTTrack, it seems that we entered the fishing den.
Comparing the codes, a new phishing site https://themta.site was found, but it cannot be opened at present.
A search found 18 results related to the phishing site thedoodles.site. At the same time, the phishing website 2 (https://acade.link/) is also on the list. The same group of crooks copy each other and cast a wide net.
Let’s analyze the phishing site 2:
Similarly, click in and the window for requesting a signature will pop up directly:
And the authorized content is the same as that of Phishing Site 1:
- Maker: User address
- Exchange: OpenSea V2 Contract
- Taker: scammer contract address
First analyze the scammer’s contract address (0xde6…45a), you can see that this contract address has been marked as a high-risk phishing address by MistTrack.
Next, we use MistTrack to analyze the contract’s creator address (0x542…b56):
It was found that the initial funds for this phishing address came from another address marked as phishing (0x071…48E), and going back further, the funds came from three other phishing addresses.
This article mainly explains a relatively common method of NFT phishing, that is, scammers can buy all your authorized NFTs with 0 ETH (or any token). At the same time, we follow the clues and pull out a bunch of phishing websites. It is recommended that you verify the URL of the NFT website you are using before attempting to log in or make a purchase. At the same time, do not click on unknown links, and do not approve any signature requests on unknown sites, regularly check for interactions with abnormal contracts and revoke authorizations in a timely manner. Finally, do a good job of isolation, and don’t put funds in the same wallet.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/slow-mist-analysis-of-0-yuan-purchase-nft-phishing-website/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.