A New Scam Emerges: Beware of Phishing Websites Disguised asTransfer Addresses
By: Lisa, SlowMist Security Team
Background
A new type of phishing scam has recently come to our attention. This scam typically occurs on chat applications like Telegram, often targeting users involved in off-exchange cryptocurrency transactions. The scammer, under the guise of checking for risks associated with the victim’s address, requests a small transfer of 0.1 USDT toassess the address’s security. They then provide the victim with a blockchain address for the transfer, emphasizing that it must be entered into a wallet browser for the transaction to proceed. However, upon entering this blockchain address,victims discover their entire account balance has been stolen.
How It Works
Based on information provided by victims, we’ve analyzed the situation and discovered that this is not a simple case of funds being stolen during a transfer (addresses have been blurred to protect victim privacy). Our experience suggests this is a phishing scam enabled by unauthorized access.
The scammer (TK…Gh) utilizes the transferFrom
function to transfer 271,739 USDT from the victim’s address (TX…1W) to the scammer’s address (TR…8v). This leads us to the blockchain address provided by the scammer: 0x2e16edc742de42c2d3425ef249045c5c.in
At first glance, the address appears legitimate. However,closer inspection reveals significant issues. First, the address is a 0x prefix, indicating a TRON transaction, while the address itself is a website ending in .in. Further investigation reveals that this is not an address but a website created just a month ago (October 11th), with an associated IP addressof 38.91.117.26.
This IP address hosts similar websites, all created within the past month:
- 0x2e16edc742de42c2d3425ef249045c5b.intgsfjt8m2jfljvbrn6apu8zj4j9ak7erad.in
Currently, only 0x2e16edc742de42c2d3425ef249045c5b.in is accessible. Searching this addressin a wallet browser reveals a page that only allows selection of the TRON network. After entering an amount and clicking Next, the page displays Contract interaction:
Decoding the data in the Data section reveals that the scammer (TYiMfUXA9JcJEaiZmn7ns2giJKmToCEK2N) is tricking users into signing an increaseApproval
. Once the user clicks Confirm, their tokens are stolen by the scammer using the transferFrom
method.
Analyzing the scammer’s address reveals that other users have fallen victim to this scam:
The majority of the victims’ USDT has been transferred to the address TLdHGHB8HDtPeUXPxiwU6bed6wQEH25ZKQ:
Using MistTrack to analyze this address shows that it has received over 3,827 USDT.
Conclusion
This new phishing scam highlights the importance ofbeing vigilant when interacting with unknown individuals online, especially when dealing with cryptocurrency transactions. Always verify the legitimacy of any provided addresses and websites before proceeding with any transactions. If you suspect you are being targeted by a scam, do not hesitate to contact your exchange or wallet provider for assistance.
References
*MistTrack: https://misttrack.io/
Note: This article is for informational purposes only and should not be considered financial advice.
Views: 0