As the popularity of NFT and cryptocurrencies increases, so does the risk of scammers. In order to be safe on the Web 3, you should pay attention to a few points.
Like everywhere else on the Internet, Web 3 has cybercriminals trying to rob unwary users of their digital possessions.
The Metaverse and other Web 3 applications such as blockchain, cryptocurrencies and non-fungible tokens (NFT) are becoming more and more popular. Thanks in no small part to Mark Zuckerberg’s announcement in Fall 2021 that he would rebrand Facebook to Meta and focus on building a metaverse. More and more people are trying NFT or cryptocurrencies. This also makes them increasingly attractive to cybercriminals.
In mid-February, an NFT theft caused a stir. Non-fungible tokens are basically digital certificates of ownership for unique virtual objects. Attackers were able to capture NFTs worth around $2.9 million on Open Sea, the largest marketplace for such certificates.
The scammers took advantage of the fact that Open Sea was in the process of updating their smart contract. Such digital contracts are basically computer programs stored on a blockchain that are executed when certain conditions are met. You can interact with them and thereby make transactions on the blockchain.
According to previous knowledge, the scammers posed as Open Sea employees via email and asked NFT owners to adapt their smart contract. However, the digital contract created by the attackers was incomplete, and the victims signed a blank check, so to speak. Once signed, it was amended to allow for an authorized transfer from NFT.
Various security risks identified
Such malicious smart contracts are one of many ways cybercriminals try to steal their digital possessions from users. Cisco Talos, a consulting firm specializing in cybersecurity, analyzed the threat from Web 3 applications in a study and identified various security risks.
Apart from the above method, there are other ways to dupe users with a malicious smart contract user. One of them is to obscure the origin of an NFT. A smart contract is modified in such a way that it incorrectly displays the wallet of a well-known artist on the user interface as the origin of an NFT instead of the actual origin.
This is possible because the scammer uses the malicious smart contract to control the presentation of the data via the NFT created with it. An unsuspecting buyer verifying that the NFT was truly created by that artist would not suspect from the data presented on the UI. As a rule, the code on which a smart contract is based is publicly available. If it is not, this is a strong indication of a potential attempt at fraud.
Another source of danger is the public nature of the blockchain. Anyone who has the address of a crypto wallet can easily see its content and value. However, it is usually unclear who owns the wallet because the addresses are anonymous. On the Ethereum blockchain, these consist of 42 alphanumeric characters. However, it is possible to replace this address with a memorable alternative, for example «name.eth», using the Ethereum Name Service (ENS).
Some people also use their ENS name publicly, for example as a Twitter handle. Aside from revealing some of their own financial circumstances, criminals could use the information to ambush the owners and blackmail the transfer of bitcoins. There is also a risk that fraudsters will use misleading ENS names, for example from a bank, to trick potential victims.
Social engineering as the biggest problem
According to Cisco Talos, the greatest danger with Web 3 is social engineering, i.e. when users are tempted to take careless actions. This works particularly well with emerging technologies such as Web 3, which are still new and unknown to many.
One possible target is a user’s seed phrase. This is the name of the passcode that serves as a security key for crypto wallets. If a wallet is lost or destroyed, users can regain access to it using the seed phrase. However, if you know them, you can also clone an existing crypto wallet and use it yourself. Fraudsters therefore try to persuade users to reveal their seed phrase by means of fake offers or false support requests.
A number of Web 3 applications require access authorization in order to carry out transactions in the crypto wallet on behalf of the user. In the case of an NFT marketplace like Open Sea, such a permission makes perfect sense. However, fraudsters try to elicit such authorization from users with phishing offers and thus gain access to the contents of a wallet.
Traveling safely on the Web 3
To be prepared for all these potential risks, Cisco Talos has put together a set of recommendations for Web 3 users.
- Observe basic safety rules: Users should use secure passwords, a password manager and, if possible, multi-factor authentication (MFA). It is also recommended to segment your own network and to regularly check network activity. Internet, ENS domain and cryptowallet addresses are to be checked for misspellings. Under no circumstances should you click on links that are presented to you unsolicited via social networks or e-mails.
- Protect seed phrase: Under no circumstances should the seed phrase be disclosed.
- Using a hardware wallet: One possibility for additional security is the use of a hardware wallet. A transaction can only be carried out if this is confirmed by connecting the hardware wallet to a device and by additional approval, for example by entering a PIN .
- Research transactions well: Anyone who buys an NFT should examine the associated smart contract. If the code is not publicly available, this is a strong indication of possible fraud. Users should educate themselves about who is behind an NFT project and ensure they are transacting the correct project on the correct blockchain.
- Use dummy crypto wallet: Those looking to buy an NFT can also use a freshly created crypto wallet that contains just enough funds to pay for the costs involved. If there is a problem, you do not immediately lose all the values of the main crypto wallet.
Many of the applications on the Web 3 have a strong technical component. However, as Jaeson Schultz, technical leader of the Cisco Talos Security Intelligence & Research Group, emphasizes when asked, one does not necessarily have to be able to program in order to use the technology. If you ensure that the address of a smart contract or domain matches what is publicly known about it and are careful when releasing transactions or access rights, you can move around the Web 3 relatively safely.
In the future, Schultz expects security mechanisms to evolve and adapt to different threats. Even in the early days of e-mail, the technology was plagued by spam until, over time, malicious senders could be identified and blocked. He also observed a similar development with Web 3: Wallets containing illegal funds or stolen NFT could be monitored and flagged as malicious. As a result, their possibilities are limited to continue to offer and use Web 3 applications.