Since now even Gary and the SEC get impersonated to scam users, let's unveil how this scam works and on what it's based.
In a typical scenario, the scam starts with a phishing campaign, such as an email that appears to be from a legitimate source. This campaign might promise benefits like reduced gas fees or an upgrade to the token, playing on the user's fear of missing out (FOMO) and urgency to act. In our example it was the fake SEC offering refunds for the fake news.
The scam often involves the user being instructed to sign a certain message - but what is behind this message?
In a typical scenario, the scam starts with a phishing campaign, such as an email that appears to be from a legitimate source. This campaign might promise benefits like reduced gas fees or an upgrade to the token, playing on the user's fear of missing out (FOMO) and urgency to act. In our example it was the fake SEC offering refunds for the fake news.
The scam often involves the user being instructed to sign a certain message - but what is behind this message?
This message simply spoken includes the following information (hashed):
Owner
Spender
Value
Deadline
Nonce
Domain Separator
Which just says, "allow the “Spender” to spend an amount of TokenXY with the next nonce until Deadline XX". The victim now signs this message on the compromised frontend in the good will to receive an airdrop or refund.
But how can an attacker now actually steal your tokens? Now it becomes a bit more interesting. Many tokens like Uniswap LP’s, DAI, USDC implement the so-called ERC20Permit logic.
This exposes the following function:
When the transaction is signed, the attacker can now just call this function with the correct parameters, which were obtained during the compromised frontend interaction. This will then approve the tokens from the victims wallet to be spent by the spender, which is the attacker in that scenario.
Once the approval has been made, the attacker can simply invoke the transferFrom function to steal the tokens:
What do we learn from this?
Never sign any arbitrary messages.
A note to all the Securities Commisions:
This is what actual investor protection looks like.
Unmasking Fake Impersonators and their Deceptive Tactics
