时间:2024-01-31|浏览:286
1.Discord钓鱼
在 Discord 社区中,您可能会遇到类似的消息,声称您赢得了奖品,但它们实际上是伪装的网络钓鱼链接。
单击该链接将您带到一个类似于 Discord 的网站,并提示授权。
点击授权后,会弹出另一个Discord登录窗口。
首先,我们无法将该登录窗口拖到当前浏览器窗口之外;
其次,显示的地址中也有一些可疑的方向。地址「https:\\discord.com\login」使用反斜杠 (\) 进行连接,而官方登录地址「https://discord.com/login」则使用正斜杠(/)进行导航。
该窗口页面外观与非常合法的不和谐登录窗口缩小,差异缩小。官方登录窗口图如下:
一旦在用户该钓鱼页面输入账户用户名和密码,其个人账户将立即被泄露,敏感信息将被公开。随后,欺诈者可以利用这些信息未经授权访问用户账户并开展欺诈活动。
在浏览器开发者模式下检查网页源码
你可以通过浏览器开发者模式,检查网页源码。
在上面的钓鱼过程中,点击授权后,弹出的假冒Discord登录窗口其实不是一个新闻,而是一个嵌入式界面。这是怎么发现的呢?
查看Pages发现,这是一个img源码标签,用于在网页中插入图片,src用来指定该图片的路径。
从官方的Discord登录窗口进入浏览器的开发者模式,如下图所示:
因此,当我们发现异常点之后,可以通过按 F12 进入浏览器的开发者模式,查看页面源码来判断我们的怀疑是否正确。尤其是在您点击外星人链接领取奖励时,更要持怀疑和谨慎的心态进行每一步操作。
2. Twitter钓鱼
空投和免费 NFT 是许多人非常感兴趣的领域。诈骗者利用被劫持的经过验证的 Twitter 账户发起活动将用户重定向到网络钓鱼网站。
诈骗者利用合法的NFT项目的资产来创建钓鱼网站。
他们利用 Linktree 等流行服务将用户重定向到编辑 NFT 市场(如 OpenSea 和 Magic Eden)的虚假页面。
攻击者将试图诱使用户将其加密货币钱包(例如 MetaMask 或 Phantom)连接到网络钓鱼网站。毫无戒心的用户可能会不知不觉地拥有这些网络钓鱼网站访问其钱包的权限。通过这个过程,诈骗者可以转出以太坊 ($ETH) 或 Solana ($SOL) 等加密货币,以及这些钱包中持有的任何 NFT。
小心 Linktree 中可疑的链接
当在用户 Linktree 或其他类似服务中添加相关链接时,需要验证链接的域名。在点击任何链接之前,检查链接的域名是否与真实的 NFT 市场域名匹配。诈骗者可能会使用类似的域名来模仿真实的域名的市场。例如,真实的市场可能是 opensea.io,而虚假的市场可能是 openseea.io 或 opensea.com.co 等。
首选,你找到需要链接的官网地址https://opensea.io/,并复制URL。
在Linktree中点击「添加链接」,此时输入刚才复制的URL,点击「添加」按钮。
添加成功,即可在右侧看到「Opensea」。点击「Opensea」,即可重定向到官方的Opensea官方网站。
3.网页篡改/假冒钓鱼
诈骗者发送网络钓鱼电子邮件和链接,主题行例如“不要错过限时 OpenAI DEFI 代币空投”。该网络钓鱼电子邮件声称 GPT-4 现在可供拥有 OpenAI 代币的人使用。
点击「开始」按钮后,您将被重定向到网络钓鱼网站,openai.com-token.info。
将您的钱包连接到网络钓鱼网站。
用户被引诱点击「点击此处领取」按钮,点击后,可以选择使用MetaMask 或 WalletConnect 等流行的加密货币钱包进行连接。
连接之后,钓鱼网站能够自动将用户钱包中的所有加密货币代币或NFT资产转移到攻击者的钱包中,从而窃取钱包中的所有资产。
识别真假域名
如果您知道如何识别 URL 中的域名,那么您将能够有效地避免网页篡改/假冒钓鱼。以下,解释了域名的关键组成部分。
一般常见的网站要么是二级域名,要么是三级域名。
二级由域名主域名和顶级域名组成,比如,google.com。其中「google」是主域名,是域名的核心部分,表示网站的名称。「.com」是顶级域名,是域名的最后部分,表示域的类别或类型,例如.com、.net、.org等。「.com」表示商业网站。
三级由域名主域名、子域名和域名组成,比如,mail.google.com。「mail」是子域名,「google」是主域名,「.com」是顶级域名。
解释一下上面的网络钓鱼网站,openai.com-token.info。
「openai」是子域名。
「com-token」是主域名。
「.info」是顶级域名。
很明显,这个钓鱼网站假冒的是OpenAI,OpenAI的官方域名是openai.com。
「openai」是主域名。
「.com」是顶级域名。
How did this phishing website pretend to be OpenAI? The attacker made the first half of the phishing URL look like "openai.com" by using the subdomain "openai" and the main domain ".com-token", where "com-token" uses hyphens.
4. Telegram Phishing
Telegram phishing is a cybersecurity issue worthy of concern. In these attacks, bad actors aim to take control of users' web browsers in order to obtain critical account credentials. To illustrate this more clearly, let's look at an example step by step.
Scammers are sending private messages to users on Telegram with a link to the latest Avatar 2 movie and a straightforward-looking address.
Once you open the link, you'll arrive at a page that looks like a real link to the movie, and you can even watch the video. However, by this time, the hacker had gained control of the user's browser.
Get into the hacker’s shoes and see how they use browser exploits to take control of your browser.
After examining the hackers’ control panel, it became clear that they had access to all information about the browsing users. This includes the user's IP address, cookies, proxy time zone, etc.
Hackers have the ability to switch to the Google Mail phishing interface and perform phishing attacks against Gmail users.
At this point, the front-end interface changes to the Google Mail login page. The user enters their account credentials and clicks the login button.
In the background, the hacker successfully received the login username and password. This method is used to maliciously obtain user account and password information, which ultimately leads to leakage of user information and economic losses.
Check the remotely loaded JavaScript script in the web page source code
You can enter the browser developer mode and check whether there are remotely loaded JavaScript scripts in the source code of the web page. This script is the key for the attacker to control the user's browser. How to determine whether there is such a phishing script in the link you click?
In the above phishing process, you enter the link to the "Avatar 2" movie. You can press the F12 key to enter the developer mode of the browser and find that the link points to a remotely loaded JavaScript script. Hackers remotely control the browser by executing script content to obtain the user's account and password.
While watching the "Avatar 2" movie on a regular website, we entered the developer mode of the browser and did not find any JavaScript scripts pointing to remote loading.
5. Metamask fishing
Here, taking the Metamask plug-in as an example, we will introduce how an attacker can use this plug-in to steal the user's wallet private key.
The attacker obtains the target user's contact information, such as email address or social media account. Attackers pretend to be trusted entities, such as the official Metamask team or partners, and send phishing emails or social media messages to target users. Users receive an email impersonating MetaMask, asking to verify their wallet:
The user clicks "Verify your wallet" and enters the following page, which claims to be Metamask's official website or login page. During the actual phishing attack, we found two different phishing pages. The first directly asked the user to enter the key, and the second asked the user to enter the recovery phrase. The essence of both is to obtain the user's metamask key.
The attacker obtains the victim's private key or recovery phrase and can use this information to access and control the target user's Metamask wallet and profit by transferring or stealing the target user's cryptocurrency.
Check Metamask email and domain
If you need to install the Metamask plug-in on chrome, the official link is https://metamask.io/
A link that contains phishing scams is https://metamaskpro.metamaskglobal.top/#/, please pay attention to screening.
When you receive an email from a suspected Metamask, you need to pay attention to identify the sender and recipient information:
There are serious misspellings in the sender's name and email address: Metamaks instead of MetaMask.
The recipient does not include your real name, some other information that identifies you, and a clearer description of what needs to be done. This proves that this email may be sent in bulk and not just to you.
Secondly, you can also check the authenticity of these links by domain name:
Click "Verify your wallet" to enter the phishing webpage, metamask.authorize-web.org. Analyze this domain name:
"metamask" is a subdomain
"authorize-web" is the main domain name
".org" is the top-level domain name
If you know the official domain name of metamask, metamask.io, you will easily find that you have been attacked by a phishing attack:
"metamask" is the main domain name
".io" is the top-level domain name
The phishing site's domain name, metamask.authorize-web.org, has an SSL certificate, which tricks users into thinking it's a safe place to trade. But you need to note that the use of MetaMask is only under the subdomain name of the registered top-level domain.
6. VPN Phishing
A VPN is an encryption technology used to protect the identity and traffic of Internet users. It encrypts and transmits user data by establishing a secure tunnel between the user and the Internet, making it difficult for third parties to invade and steal data. However, many VPNs are phishing VPNs, such as PandaVPN, letsvpn, and LightyearVPN to name a few. Phishing VPNs typically leak the user’s IP address.
When you connect using a VPN, your device sends a DNS request to the VPN server to get the IP address of the website you want to visit. Ideally, a VPN should handle these DNS requests and send them through the VPN tunnel to the VPN server, thus hiding your true IP address. If you are using a phishing VPN, a DNS leak can occur and your real IP address may be recorded in DNS query logs, making your online activities and access records traceable. This can destroy your privacy and anonymity, especially if you are trying to hide your real IP address.
IP leak self-check
When you use a VPN to surf the Internet, you can test whether the VPN is leaking your IP address through the ipleak.net or ip8.com websites. These websites can only display your public IP address, which is the IP address assigned to your Internet connection. If you are using a VPN service, these websites will display the IP address of the VPN server you are connected to, rather than your real IP address. This can help you verify whether the VPN is successfully hiding your real IP address.
You can check if your IP address has been compromised by following the instructions below:
Open your browser and visit ipleak.net, which will display your current IP address. As shown in the image below, your IP address appears as 114.45.209.20. And pointed out that "If you are using a proxy, it’s a transparent proxy." This indicates that your IP address has not been leaked and that your VPN connection is successfully hiding your real IP address.
这时,你也可以通过 ipconfig /all 命令行查询你的真实 IP 地址,如果这里查询的 IP 地址和通过 ipleak.net 查询的 IP 地址不一致,则表明你的 IP 地址确实被隐藏了。如果一致,则表明你的IP暴露了。如下图所示,通过ipconfig /all查询机本真实IP地址为192.168.*.*,与上图所示的114.45.209.20不一致,IP地址未泄露。
总结
综上所述,我们详细介绍了六种 Web3 社交工程攻击方式,并提供了相应的识别和预防措施。为了有效避免 Web3 社交工程攻击,您需要提高对陌生人链接、邮件以及来自社交平台的消息的除此以外,我们还建议您了解如何在浏览器的开发者模式下检查网页源码,如何识别真假域名,如何自检IP地址是否泄露,并分析其中存在的安全隐患。
热点:WEB