PhishFort launches DeFi Focused Anti-Phishing Service

DeFi (Decentralized finance) projects have exploded in popularity in the crypto industry over the past year. DeFi as a whole strives to offer financial products and services to users in the crypto space, but unlike in the traditional financial sector, users are in complete control of their funds and have true financial sovereignty.

Cybercrime waits for noone, and phishing scammers have flocked to the new DeFi landscape in order to capitalize on the influx of new users and money in the space. Phishing campaigns are increasingly targeting both established and up and coming projects in order to scam users out of their hard earned gains. We’ve written about why we believe crypto is especially attractive to attackers before, and the surge in attacks against DeFi comes as no surprise to us.

At PhishFort, we work with some of the biggest names in crypto to protect them against phishing attacks - CEXs, DEXs, wallets and dApps. Because of this exposure, we’ve gained some helpful insight into how attackers are currently targeting these brands.

The Four Avenues of DeFi Phishing

We’ve identified 4 primary vectors for delivering phishing attacks against the DeFi ecosystem. These are of course not comprehensive, but based on our data are the most commonly used methods in the space.

1. Google Ad Phishing

Google famously banned advertising of cryptocurrency and blockchain projects on their Adwords platform. However, Google Ads are continuously and repeatedly used to advertise crypto phishing campaigns to unsuspecting users.

For example, consider this attack against the platform Aave. Attackers take out advertisements on the keyword aave and pay Google to rank above the legitimate platform in the users search results.

Despite this getting public attention, Google has been slow to act and combat these scammers. Unsuspecting victims who search for their crypto platform of choice, discover too late that the top results that Google returns are in fact, phishing links.

2. Social Media Phishing

The majority of phishing attacks against cryptocurrency companies are conducted on Twitter. However, other platforms are also regularly used by scammers, notably Telegram, Facebook, Youtube, LinkedIn, Discord and Reddit. Due to the size and activity of the crypto community on Twitter (with CT even referring to “crypto twitter”), we find a large number of attacks being launched there. Attackers are using a number of approaches to steal funds. The two most common methods they’re employing that we’ve observed are:

1. Wait for a user to Tweet a DeFi project asking for support. The fake account which has selected a similar handle and has the same or similar profile picture then connects with the user, promising to guide them through fixing their problem as customer support. The unsuspecting user is actually speaking to a scammer, who convinces them to hand over their private key or otherwise steal their funds. This is often done through a traditional phishing website which appears to be a perfect clone of the legitimate site.
2. Use a well respected project's branding and influence in the space to launch fake airdrops, or giveaway campaigns in which the user is directed to a phishing site that asks for money in return for an airdrop or convinces a user to hand over their private key/seed phrase.

3. Mobile Application Phishing

Attackers will meet users where users spend their time. This is why over the last few years we’ve seen a huge migration of phishing away from traditional methods like email and SMS (which of course do still exist), towards social media platforms and mobile applications.

These mobile applications tend to encourage users to enter their private key or mnemonic at startup, at which point they display a generic error message. Instead of initializing the user’s wallet, the private key is sent to servers controlled by the attacker and the user’s wallet is drained. One of the primary targets of this new wave has been crypto wallets used to interact with the DeFi ecosystem.

Importantly, reviews and the number of downloads are not useful in determining whether a wallet is a phishing attack. Attackers use fake accounts to boost the number of downloads and leave fake 5 star reviews on the phishing app, misleading victims into trusting the app. We'd recommend that users always download an app through a link from the official project website.

4. Websites and Domains

Most often, phishing attacks end up using a domain or website. This is true in the DeFi space as well, and we’ve seen a significant increase in these attacks since we first wrote about it. Fake social media accounts for example, often redirect a user to a phishing website and this is the case with Google Ad phishing too. As such, finding and shutting down phishing websites and domains is a key cornerstone of any anti-phishing strategy. In most cases, phishing websites are identical to the legitimate website, making spotting them extremely difficult for end users.

To this end, at PhishFort we’ve gone to great lengths to become effective at combating phishing websites and blocking users from visiting them. For example, we’ve open sourced our domain blacklist which a number of high profile crypto related products use. This list includes Brave Browser, MyEtherWallet’s chrome extension, and of course PhishFort’s own open source browser plugin. When we blacklist an attack, millions of users are protected in near real time while we start working on getting the website removed from the internet.

PhishFort’s DeFi Anti-Phishing Service

To combat these attacks, PhishFort has developed a one of a kind anti-phishing offering that specifically monitors the 4 primary verticals for phishing attacks against DeFi projects:

• Google Adword Phishing
• Fake Mobile Applications
• Rogue Social Media Accounts
• Phishing Websites and Domains
  

PhishFort has built scanners that scour the internet to find and once discovered, are actioned by our team of analysts who work on shutting down the attack. We work closely alongside teams building in the space and give them real-time information and updates about phishing incidents we’ve discovered and are taking action on.. PhishFort will look after your product ecosystem to safeguard your revenue, user funds, and your brand.

To find out how we can help you or a project you’re involved with, please reach out to us.