Elaborate Scheme on Phishers Posing as Journalists Uncovered

Blockchain secu­ri­ty firm SlowMist has cau­tioned about a surge in phish­ing attacks car­ried out by impos­tors pos­ing as jour­nal­ists on the recent­ly launched decen­tral­ized social net­work friend.tech.

It was first flagged on Octo­ber 14, when Twit­ter user Masi­wei report­ed a mali­cious code tar­get­ing friend.tech for account theft. As per the SlowMist Secu­ri­ty Team’s inves­ti­ga­tion, the link shared by the attack­er includ­ed a mali­cious JavaScript script.

Attacking Process

Accord­ing to SlowMist’s find­ings, the mali­cious script specif­i­cal­ly tar­get­ed friend.tech users, with a focus on Key Opin­ion Lead­ers (KOLs) who, due to their pop­u­lar­i­ty, were like­ly to receive inter­view invi­ta­tions. The attack­er adopt­ed a strat­e­gy of fol­low­ing peo­ple with­in the target’s Twit­ter net­work, cre­at­ing a false sense of com­mu­ni­ty when users vis­it­ed the attacker’s Twit­ter page.

The modus operan­di involved sched­ul­ing inter­views, guid­ing users to join Telegram for the inter­view, and pro­vid­ing an out­line. Users, believ­ing the inter­ac­tion to be legit­i­mate, par­tic­i­pat­ed in a two-hour inter­view with appar­ent hosts, antic­i­pat­ing pub­li­ca­tion on a rep­utable news website.

Post-inter­view, the attack­er request­ed users to fill out a form and open a pro­vid­ed phish­ing link under the pre­text of ver­i­fi­ca­tion. The link, claim­ing to pre­vent imper­son­ation, instruct­ed users to ver­i­fy their friend.tech account by drag­ging a “Ver­i­fy” but­ton to the book­mark bar and click­ing on it after vis­it­ing the friend.tech website.

Upon open­ing the book­mark, which con­tained the mali­cious JavaScript script, users unknow­ing­ly exposed their friend.tech account cre­den­tials, includ­ing the pass­word (2FA) and tokens asso­ci­at­ed with the embed­ded wal­let Privy. This posed a sig­nif­i­cant risk, as both the user’s friend.tech account and the relat­ed funds were sus­cep­ti­ble to theft.

“Our founder, Cos, also empha­sized the sever­i­ty of such attacks. If your inde­pen­dent pass­word, i.e., the 2FA for friend.tech, is stolen, and you have set up infor­ma­tion relat­ed to friend.tech and its embed­ded wal­let Privy (includ­ing oth­er rel­e­vant infor­ma­tion in local­Stor­age), then your pri­vate key plain­text can also be stolen.”

At this stage, the account becomes essen­tial­ly unus­able unless friend.tech is will­ing to pro­vide the vic­tim with a new pri­vate key and its asso­ci­at­ed wal­let address.

Measures to Prevent Phishing Attacks

The ram­pant social engi­neer­ing attacks and phish­ing scams have wreaked hav­oc in the Web3 space, par­tic­u­lar­ly because they are rapid­ly evolv­ing. SlowMist said the vic­tim in this inci­dent, who was just prac­tic­ing Eng­lish speak­ing skills, end­ed up hav­ing all their funds on friend.tech stolen. How­ev­er, the firm detailed cer­tain mea­sures that help iden­ti­fy poten­tial attacks.

These involve increas­ing aware­ness of social engi­neer­ing attacks, refrain­ing from click­ing on unfa­mil­iar links, and learn­ing meth­ods to rec­og­nize phish­ing links (such as check­ing for mis­spellings or exces­sive punc­tu­a­tion in domain names and ensur­ing they match with offi­cial domains). SlowMist fur­ther encour­aged users to install anti-phish­ing plugins.

This isn’t the first time friend.tech users have had their dig­i­tal assets stolen.

Last month, promi­nent on-chain inves­ti­ga­tor ZachXBT report­ed that friend.tech users were tar­get­ed by SIM card manip­u­la­tion. Days lat­er, the team behind the plat­form intro­duced the 2FA pass­word fea­ture to improve user secu­ri­ty, pro­tect­ing against SIM-swap attacks.