The concept and Web3 of the block chain, the detrimentary technology, the DEFI, the intelligent contract, the “Yuan Cosm” are established on the encryption system, and the basis of the block chain project. They all have a thorough change in the way we understand and experience our connection today.
However, with each technological innovation, it is also possible to create new ways for network attackers, and Web3 is no exception. Now, the most common threats include large-scale spam and network fishing, social engineering and vulnerability utilization through email and social media platforms.
On February 16, Microsoft 365 Defense Students said, especially online fishing has spread to the block chain, hosted wallets and intelligent contracts. At the same time, they emphasize the persistence of these threats, and the need to build safety foundations in future related systems and frameworks.
Microsoft’s network security researchers say that network fishing attacks for Web3 and block chains can take a variety of forms. Among them, the main one is that an attacker tries to obtain a private encryption key to access the wallet containing the digital asset.
Although the online phishing attempt to email does happen, the fraud of social media is also very embarrassed. For example, scams may send messages directly to users, publicly requesting help of encrypting currency services – and requires a key while pretending from support teams.
Another strategy is to initiate free empty spaces on social media websites. When users try to access their new assets, they will be redirected to malicious domain names, these domain names either try to steal vouchers, either in victims Effective loads of encrypted malware on the machine.
Moreover, it is well known that online criminals will be misfamed to pretend to be legally block chain and encrypted currency services. They registered websites with small errors or changes – such as Cryptocurency.com instead of cryptocurrency.com – and establish a phishing website, directly stealing the key.
Ice and snow fishing is different, it completely ignores the private key. This kind of attack method tries to deceive the victim to sign a transaction and hand it over to the criminal approval rights. For example, such transactions can be used for DEFI environments and intelligent contracts to allow for Currency exchange.
Microsoft pointed out that “once approved the transaction to be signed, submit and excavate, the payer can access funds. If it is ‘Ice fishing’ attack, the attacker can accumulate approval within a period of time, then quickly exhaust all victim’s wallet. “
The most eye-catching ice fishing is the last year’s Badgerdao intrusion event. Attackers can destroy the front end of BadgerDao to get access to the CloudFlare API key, then inject malicious scripts from the Badger intelligence contract and delete. High balance customers are often the goal of these people’s fraudulent.
It is reported that the above incident is approximately $ 121 million to stolen, and the relevant audit and recovery plans are still in progress. The Badger DAO attack emphasizes that in terms of Web3 in early development and adoption, we must include security into it.
Finally, Microsoft said: “On the higher level, we recommend that software developers improve Web3 security. At the same time, end users need to clear verification information through additional resources, such as viewing documents and external reputation / information website.”