Airdrops have become commonplace in the world of cryptocurrencies, decentralized finance (Defi) and the Web3. But while airdrops sound like free money, there is a growing trend of airdrop phishing scams that steal people’s money when they try to obtain so-called “free” crypto assets. Below are two different ways attackers use airdrop phishing scams to steal funds and how to protect yourself.
Airdrops do not necessarily mean “free crypto” – many airdrop gift promotions are trying to rob you
Airdrops are synonymous with free crypto funds, so much so that a rising crypto scam called airdrop phishing is widespread. If you are a participant in the crypto community and use social media platforms such as Twitter or Facebook, you have probably seen numerous spam posts promoting airdrops of all kinds.
Typically, a popular Twitter crypto account will tweet, followed by many scammers promoting airdrop phishing or accounts claiming to have received free money. While most people will not fall for these airdrop scams, since airdrops are considered free crypto, many people have fallen victim to this type of attack and lost their funds.
The first attack uses the same advertising method on social media, shilling links that lead many people and bots to an airdrop phishing scam web page. This shady website may look very legitimate and even copy some of the elements of the popular Web3 project, but ultimately, the scammers aim to steal funds. The free airdrop scam could be an unknown crypto token, but it could also be a popular existing digital asset such asBTC, ETHor SHIB, DOGE, etc.
The first attack usually indicates that an airdrop can be received, but in order to get the so-called “free” funds, the person must use a compatible Web3 wallet. The website leads to a page showing all popular Web3 wallets, such as Metamask, but this time an error pops up when the wallet link is clicked and the site asks the user for a seed phrase.
To get support, open MetaMask and go to “Support” or “Get Help” in the drop-down menu. Do not trust anyone who sends you a direct message. Under no circumstances should you share your secret recovery phrase with anyone or enter it into the site.
32} – MetaMask Support (@MetaMaskSupport) – 4/29/2022Things are getting suspicious here, as it never asks for a seed or 12-24 mnemonic phrase. However, an unsuspecting airdrop phisher user may think the error is legitimate and enter their seed into the web page, ultimately losing all funds stored in the wallet.
Basically, the user was asked for a mnemonic phrase on the Web3 Wallet error page and handed over their private key to the attacker. Also, there is really no need to enter the seed phrase online unless the wallet needs to be restored.
Giving permission to a suspicious Dapp is not a good idea
The second attack is a bit more sophisticated, as the attacker uses a technical piece of code to rob users of the Web3 wallet. Similarly, the airdrop phishing scam is promoted on social media, but this time when that person accesses a web portal, they can “connect” to the site using their Web3 Wallet.
However, instead of giving the site read access to the balance, the attacker writes code to give the site full permission for the user to eventually steal the Web3 Wallet funds. This happens simply by connecting the Web3 wallet to the fraudulent site and giving that site permission to do so. This attack can be avoided by simply not connecting to the site and walking away, but many people fall for this phishing attack.
Here are the latest phishing scams
1️⃣ Airdrop the token
2️⑬ Create a website with the same name to make it easy to find{56 3️⃣ What appears to be staking of this token Once found, you can spend an unlimited number of other tokens (i.e. SNX) on Approve txn
and drain the tokens from your wallet. pic.twitter.com/vICIeC5rGk
– DeFi Dad
– DeFi Dad ⟠ defidad.eth (@DeFi_Dad) Dec 20, 2021
Another way to secure your wallet is to make sure that the wallet’s Web3 privilege is connected to a site that the user trusts. If there are decentralized applications (dapps) that seem suspicious, the user should remove the permissions if they fall for a “free” crypto scam and accidentally connect to a dapp. However, it is usually too late, and once the dapp has permission to access the wallet funds, the crypto is stolen from the user through malicious coding applied to the dapp.
The best way to protect yourself from both of the above attacks is to never enter your seed phrase online unless you are intentionally restoring your wallet. Along with this, it is also good practice not to connect or grant access to your Web3 wallet to suspicious Web3 websites or unfamiliar apps. These two attacks can cause significant losses to unsuspecting investors if they are not aware of current airdrop phishing trends.
Image credits: Shutterstock, Pixabay, Wiki Commons