Crypto phishing attacks: CertiK deceptive copycat site example
Surfing the web in search of Ankr audits (see the Ankr hack review by the SmartState team) we found a strangely duplicated CertiK page:
Looking more closely, we realized that we had come across a fraudulent phishing copycat site mimicking CertiK, cerLik - cerlik.com.
We wrote to CertiK but got no reply, so we decided to inform the community ourselves and wrote a short article about phishing, using the fake site as an example.
What a phishing is
Phishing is a type of cybercrime in which an attacker posing as a legitimate institution lures sensitive data out of people, such as personal information, bank and credit card information, and passwords. Scammers are primarily interested in those personal data which gives them access to money, also stealing email authorization details is popular, as this type of personal data can be even more profitable.
In Web3, the damage from phishing can be especially huge, as data protection, even for the average user, is of utmost importance in this field.
Suspicious signs of phishing
Scammers do their best to put the user's vigilance to sleep.
- The main characteristic of phishing emails and websites is that they are often very high quality forgeries.
- Phishing URLs often look very much like real URLs they impersonate. In email phishing, the body of the message may contain a link to a legitimate site, but the real URL to which it is pointing will be different. The email may also contain links which lead to a legitimate site, but the link which the user will have to click on and sign in will lead to a fake site.
- Sometimes logins / passwords / secret recovery phrases are proposed to be entered directly in the mail. Keep in mind that a real organization requesting sensitive information will not do it this way, and some information, such as the recovery phrase, will never be requested by the organization.
What phishing red flags exist?
- The site is not protected by an SSL certificate. This is a serious reason to take a closer look at the site, https is a must today.
- Incorrect addresses. Website, email, social networks and messenger login - you need to always be vigilant and check the correctness of these details
- Suspicious requests in emails and messages. Requests to confirm your account in a payment service? You are asked to send login or even worse - password? These are the red flags of phishing
- Using a public email service instead of a corporate one. Addresses like famouscompany@gmail.com are a bad sign
The dangers of phishing
Besides getting their hands on your private data, phishers can make you a few more unpleasant surprises, like a spyware, keylogger or trojan download on a fraudulent site.
In Web3, this can lead to huge losses - successful phishing attacks can spoof crypto wallet addresses and get seed phrases if the owner had been careless about entering them or storing them on personal devices.
Crypto phishing scam cases 2022
Below we have listed a few famous examples of crypto phishing in 2022. There are many more of them, of course.
1. Seth Green's Bored Ape NFT collection. The Robot Chicken creator had his entire NFT collection stolen from him after Green fell for a phishing scam in May 2022.
2. Crypto phishing scammer Monkey Drainer case on October 2022.
Source: link
3. $8M worth of Ether loss due fake Uniswap airdrop phishing attack in July 2022.
Source: link
What specific problems did we find in cerLik?
1. Problems with auto redirect on https version (although there is a certificate).
2. The next point is for regular visitors of the CertiK site. There is no support chat on the fake site. If there are changes on a site you regularly visit, that's a reason to be wary and take a closer look to see if it's a fraudulent resource.
Real CertiK site
Fake phishing site
3. Social networks and links. In the case of cerLik, links lead to official CertiK resources. But always check the authenticity of your social network accounts and links to the necessary resources that the site links to.
4. Request Audit form. The fake site sends the information to the real CertiK
5. Account login and registration forms. On the fake site, the registration form doesn't seem to work.
However, the data from the forms is sent to https://cerlik.com/api/auth/callback/credentials. This is probably where the user authorization data is recorded.
6. Huge number of code inspection errors associated with copying the original CertiK site.
To conclude
Phishing is just gaining popularity in Web3. If you own a crypto wallet, you know that you and only you are responsible for your funds security.
Check all the data several times, keep your devices clean, and stay alert.
