In the world of cryptocurrencies, decentralized finance (defi), and Web3, airdrops have become commonplace in the industry. However, while airdrops sound like free money, there’s been a growing trend of airdrop phishing scams that steal people’s money when they attempt to get the so-called ‘free’ crypto assets. The following is a look at two different ways attackers use airdrop phishing scams to steal funds and how you can protect yourself.
Airdrops Doesn’t Always Mean “Free Crypto” – Many Airdrop Giveaway Promotions Seek To Steal You
Airdrops are synonymous with free crypto funds, so much so that a growing crypto scam called airdrop phishing has become widespread. If you’re part of the crypto community and use social media platforms like Twitter or Facebook, you’ve probably seen a number of spam messages announcing airdrops of all kinds.
Usually, a popular Twitter crypto account makes a tweet and it is followed by a slew of scammers advertising airdrop phishing attempts and plenty of accounts saying that they have received free money. Most people won’t fall for these airdrop scams but because airdrops are considered free crypto, there’s been a bunch of people who have lost funds by falling victim to these types of attacks.
The first attack uses the same social media advertising method, where a number of people or bots send a link that leads to the phishing airdrop scams webpage. The suspicious website may look very legitimate and even copy some of the elements of popular Web3 projects, but ultimately the crooks are looking to steal funds. The free airdrop scam could be an unknown crypto token, or it could also be a popular existing digital asset like BTC, ETH, SHIB, DOGE, etc.
The first attack usually shows that the airdrop is receivable but the person must use a compatible Web3 wallet to retrieve the so-called ‘free’ funds. The website will lead to a page that shows all the popular Web3 wallets like Metamask and others, but this time, when clicking on the wallet’s link an error will pop up and the site will ask the user for the seed phrase.
This is where things get shady as a Web3 wallet will never ask for the 12-24 seed or mnemonic phrase unless the user actively restores a wallet. However, unsuspecting airdrop phishing scam users may think the mistake is legit and enter their seed into the webpage which ultimately leads to loss of all funds stored in the wallet.
Basically, the user just gave the private keys to the attackers by falling for the Web3 wallet error page asking for a mnemonic phrase. A person should never enter their seed or 12-24 mnemonic phrase if prompted by an unknown source, and unless there’s a need to restore a wallet, there’s really never a need to enter a seed phrase online.
Giving Shady Dapp permissions isn’t the best idea
The second attack is a little trickier and the attacker uses the technical details of the code to steal the user from the Web3 wallet. Similarly, the phishing airdrop scam will be advertised on social media, but this time when the person visits the web portal, they can use their Web3 wallet to “log in” to the site.
However, the attacker has written the code in a way that makes it so that instead of giving the site read access to balances, the user is ultimately giving the site full permission to steal the funds in the Web3 wallet. This can happen by simply connecting a Web3 wallet to a scam site and giving it permissions. The attack can be avoided by simply not connecting to the site and walking away, but there are lots of people who have fallen for this phishing attack.
Another way to secure a wallet is to ensure that the wallet’s Web3 permissions are connected to sites the user trusts. If there are any decentralized apps (dapps) that seem shady, users should remove permissions if they accidentally logged into the dapp by falling for the “free” crypto scam. However, usually it is too late, and once the dapp is granted permission to access the wallet funds, the crypto is stolen from the user via the malicious coding applied to the dapp.
The best way to protect yourself from the two attacks mentioned above is to never enter your seed phrase online unless you are purposely restoring a wallet. Alongside this, it is also good form to never connect or give Web3 wallet permissions to shady Web3 websites and dapps you are unfamiliar with using. These two attacks can cause major losses to unsuspecting investors if they are not careful of the current airdrop phishing trend.
