Due to loss of millions of dollars in assets Phishing attacks After malicious authorizations are signed, the threat of seeing cryptocurrencies stolen due to suspicious links is real. When these are combined with platforms that allow private connections, users are exposed to varying levels of risk.
On September 4, Web3 security provider Pocket Universe demonstrated how scammers can hide wallet-draining links in any text on the instant messaging platform Conflict. Although some users report that the feature recently went live for Discord users, The ability to embed a link in any text has been available on many social platforms for a while now.
Scammers can now hide links in any Discord text ☠️
Scammers can now hide links in any discord text ☠️
Beware of hidden wallet filter links
For example pic.twitter.com/mgqG18sOF9
— Pocket Universe (@PocketUniverseZ) September 4, 2023
Cointelegraph reached out to several cybersecurity experts to learn more about how users can protect themselves from these attempts and how platforms can improve their security to prevent users from being exposed to such attacks.
Christian Seifert, a researcher at Web3 security firm Forta Network, said such attacks Hackers’ daily bread since the birth of the Internet. He explained:
“No matter what platform you build, there will be a hacker ready to find a way to break it. Hyperlinks containing text are a feature supported as part of HTML and have been a source of phishing attacks since the early days of the Internet”.
According to Seifert, security requires a comprehensive defense approach. “Both platforms and users must work to protect themselves.”, Announced. As for users, the security expert highlighted the existence of add-ons that allow them to protect themselves from these scams.
As for Discord, Seifert pointed out that the platform lets you know the actual destination of the URL after the user clicks it. But the platform also allows users to “trust” a domain name. According to Seifert, Scammers may exploit this possibility. Seifert explained:
“Consider a domain like foo.bar that the user trusts. A scammer could create a potentially malicious link that performs an action on that domain; for example, an ‘oauth’ request like foo.bar/oauth /scammer- could be sent to the scammer account” .
The cybersecurity expert said one problem with the platform’s current implementation is that links and text can be misleading and do not match user expectations. “If a text link clearly looks like a domain or URL but does not match the actual destination URL, Discord should prevent such links.”added.
Related: Report: Exploits, hacks and scams steal nearly $1 billion in 2023
Meanwhile, Hugh Brooks, director of security operations at blockchain firm CertiK, echoed some of Seifert’s thoughts. According to Brooks, users and platforms have a collective responsibility to be wary of malicious operators. He explained how important it is for platforms to continually review and improve their security features and for users to stay alert and informed.
Brooks emphasized that users should be proactive and careful about links, especially when signatures and permissions are requested. Administrator called users Verify the authenticity of the site address before granting access to cryptocurrency wallets. Brooks’ post is as follows:
“It is good practice to cross-check web addresses against appropriate phishing alert lists. PhishTank, Google Safe Browsing, and OpenPhish are also valuable resources, as are browser extensions such as HTTPS Everywhere and ad blockers such as uBlock.”
Brooks explained that these tools can warn users in real time when they are about to visit known phishing or malicious websites. “Additionally, hovering over a URL link will display the actual web address, allowing users to confirm its legitimacy before continuing.”added.
Regarding the platform, the cybersecurity expert reminded that there are measures that must be implemented, such as the possibility of receiving messages only from trusted people. A good example of this is Meta’s “Facebook Protection” that allows users, Brooks added. Has advanced security features for your accountsin conclusion:
“As the saying goes, the only constant is change. Platforms have a duty to their users and their ongoing interest in making security a priority. This includes not only updating security measures, but also promoting a culture of vigilance and awareness among users.” .
Translation by Walter Rizzo