This article was originally posted by me on January 18, 2022, at thiscoindaily
Hello guys. In this article, I’ll be guiding you through some key principles to help keep your accounts safe in the ecosystem. With a lot of events/projects sprouting out in the ecosystem (and many more to sprout out this year), scammers and hackers are ever-alert, ready to snatch accounts if given even the slightest chance.
This article aims to guide you through the best principles that’ll help keep you safe in the DotSama ecosystem.
In this article, I’ll start by describing various ways in which scammers may attempt to hijack accounts, then dive into key principles to help keep your accounts safe.
Disclaimer: This guide is based on previous trends and my experience with the blockchain space in general and the ecosystem in particular. Even though this guide was made in good faith and efforts were made to ensure its accuracy and validity, you’re advised to exercise due diligence in matters regarding verifying websites/wallets/extensions/accounts, managing your accounts, and securing your funds. If you have any queries, you can always request help from Polkadot support or reach out to the official Polkadot discord server
Alright! Wear your Sherlock Holmes Cap, and Let’s get started!
Various ways in which scammers may try to take control of your account
The aim of this section is to expose you to some of the techniques scammers may use in order to attempt to get a hold of your account. I mean, you have to know what you’re dealing with before you can protect yourself, right?
Scammers are smart and are getting smarter by the day. There’re multiple ways in which scammers could attempt to gain unauthorized access to accounts. Below are descriptions of some of the most common methods hackers may employ.
Phishing sites
This is one of the most common (and unfortunately, quite successful) methods in which scammers attempt to hack accounts.
These phishing sites are either designed to look very similar to an already established platform or could follow innovative patterns to lure users into using the platform.
Typically, these scammers spread out their phishing sites either via chats or even ads (Facebook ads, Twitter ads, etc).
The names of these scam sites usually employ a pattern that looks similar to real platforms, with subtle differences.
For example;
- polkadot isn’t the same as poIkadot (This is a classical form of a homograph attack. since an “l” looks like an “I”, it could lure users into thinking poIkadot is the right domain name
- kusama isn’t the same as kusamа . how long did it take you to spot the difference? ?. Notice the last “а” in the second kusama writing; that’s a cyrillic letter, and not a real letter “a“. Scammers could use cyrillic letters like this to create links to look-alikes of platforms, which may be very hard for even an untrained eye to detect.
- Use of unused TLDs or lower-level domains (like .xyz, .tk etc), which will maintain the name of an established platform.
- Modifying the domain names of legit platforms, to make it look like the platform set up a unique domain name for specific purposes. this could be in the form of adding keywords like support, swap, exchange, dapp etc.
- using punctuation marks to come up with malignant names by segregating the names of legit platforms (polka-dot, moon-beam, etc)
Where phishing sites may be injected
Phishing sites could be spread through a multitude of channels including;
- Social media and email ads. Most ad platforms and email providers have filters, but a lot of phishing sites still escape them.
- As messages from impersonators. Typically, the scammers will contact vulnerable or noob users, posing as members of the team, and offering to help them solve their issues. It’s quite easy for scammers to fetch out noobs and vulnerable users, based on the kinds of questions and requests they ask in the groups.
- In the form of links in articles. A scammer could decide to create a genuine and really intuitive article, but then inject links to phishing sites in the articles as traps for unsuspecting users to click and fall into.
- Into hacked accounts of legit and established platforms. In this case, a legit platform is hacked, and the links in its pages are changed to reflect phishing sites
- And many more!
Phishing apps and extensions
These could be created by scammers to gain access to your seeds by creating a look-alike of existing seeds.
Depending on how advanced the scammers are, these phishing apps and extensions may look very similar to legit platforms. But entering any sensitive information like mnemonics in these platforms most certainly guarantees exposure of such information to scammers.
The backends of these phishing platforms are usually not sophisticated, as their aim is simply to get hold of your mnemonics/seeds. This explains why you’ll always get a success message whether you entered real info or dummy data.
Links to these are shared in the same way as phishing sites, but can also be uploaded by scammers to app/extension stores in order to gain exposure to a large user base.
Copy and Paste exploits
This is a wicked form of attack in which exploiters are able to change the contents of a copied address and replace it with theirs, such that you’d be pasted their own address and not the one you copied initially.
A lot of people might not have heard of this, but it has led to the loss of millions of dollars of funds in the blockchain space in the past.
Keyloggers
These are malicious programs that are designed to intercept and record your keystrokes, which are then sent to the attackers.
Keystrokes themselves aren’t really illegitimate, as they may be used by law enforcement and security agencies to help keep things in shape.
Unfortunately, hackers may utilize this as an avenue to still your private keys and mnemonic phrases.
Users could get exposed to malicious keyloggers either by visiting a malicious site, downloading malicious software, or using malicious hardware. It may be hard to detect malicious keyloggers, but there’re steps that can be taken to protect yourself from successful attacks from malicious keyloggers, like using updated anti-virus software to help detect these malwares.
Direct requests from impersonators
Some scammers might actually contact you claiming that they are part of the team. They may request your private keys, claiming they’ll help you solve your issues.
This is usually unsuccessful for more advanced users, but newbies might still fall for this, especially if they’re really desperate to find a solution to their problems.
Giveaways and multipliers
With this kind of exploit, scammers claim that their platforms will help provide profits for you, depending on your deposits. These fake platforms could be in the form of investment platforms, Ponzi schemes, or even presumed real businesses.
They try to make their messages interesting and offer very high returns on your deposits. Some could go as far as creating groups and channels filled with fake accounts that actually interact with one another and talk about how successful they’ve been with the platform.
Links to platforms like this are usually injected in the same way as phishing sites.
Fake arbitrage exchanges
These are platforms that’ll claim to exchange that offer very large spreads for buying and selling. Basically, they’d require you to buy your assets from a real exchange and then sell on their fake exchange, such that you benefit from the spread.
They are usually unpopular and have low-level domain names.
Because of the large price differences between these fake exchanges and real exchanges, you could be enticed into falling for the trap, which will most likely guarantee that you’ll lose your money.
Security breaches
This is when genuine platforms (especially centralized platforms) are breached, and usually not in your control.
However, because you know breaches are always possible, it would be a good idea to never put all your eggs in one basket.
How to keep yourself safe from Scammers/Hackers
Now that you’re aware of several methods that hackers/scammers could employ to try to gain access to your account, I’ll walk you through some guidelines which will help keep your accounts safe from malicious users.
Treat every DMs as a scam until proven otherwise
This is very important! Team members will hardly DM you. Any messages you get from the servers/channels claiming to help you solve your issues should be suspected and treated as a scam. You could try confirming the user’s identity from the server by viewing their roles, and then sending their details to the server for a possible ban.
Note that some scammers might actually try to outsmart you into thinking they’re admins by adding emojis to their status, just like below:
Note that unlike the scam account above, roles are always displayed below the server address.
I mean, think about it! why would a team member not attempt to help you in the server, but then slides into your DM to help out without giving any prior notice?
As I stipulated before, scammers will attempt to use this strategy to direct you to one malicious interface or the other, in order to gain access to sensitive information.
Verify the polkadotJs UIs, extensions, and other platforms before use.
Because it’s quite easy for malicious users to create look-alikes, it’s very important to verify that you’re using authentic platforms;
- Always download wallets and extensions from the official site. preferably, manually type out the links of the sites before clicking links on them. for example, if you’d like to download the polkadotJs extension, manually type in the address of the polkadotjs app. this helps eliminate the possibility of falling for the homograph attack which was described earlier. If you must use links from other platforms, double-check and make sure they’re correct.
- Keep a bookmark of links to important platforms, and use your bookmark to access these platforms.
- carefully scrutinize any links from third-party sites.
- If you have even the slightest doubt that a platform is trying to steal your keys, try entering dummy data. usually, a fake extension or wallet will provide a success message, whether you entered real data or not.
Be careful with websites you click
Whenever you feel a website is not genuine, don’t click on it in the first place (some might want to check out the scam site, just to see what it looks like. don’t!). Share on XThese malicious sites usually come in form of referral links offering you hefty rewards or coupons.
visiting some malicious sites and interacting with them alone could lead to the injection of malicious codes meant for various attacks (e.g intercepting copied text or injecting malicious keyloggers).
Keep your PC virus-free
As much as possible, avoid downloading and installing software from unverified sites. some of these software have been infected (deliberately) with viruses that are intended to steal your data.
Try keeping your anti-virus software up-to-date to help in sniffing out malicious software.
Use an offline wallet where possible
Of course, not everyone can afford a hardware wallet. But if you can, it’s highly suggested you get one. This ensures that your account is always safe, even if platforms (or your PC) are breached.
A good idea may be to keep large accounts offline, and maybe have a flexible account for other activities.
If you can’t afford a hardware wallet, you may use wallets like parity signer which allow you to sign transactions offline.
If you don’t really understand how offline wallets work, you should create accounts with polkadotJs UI and ensure you keep your mnemonics and seeds safe.
It’s generally not a good idea to live a large lump of funds sitting on exchanges, as a breach of those exchanges could lead to loss of your funds. But if you still intend to store large funds on exchanges, then the next point is for you:
Never put all your eggs in one basket
You should spread your funds across a couple of accounts (especially if you’re using a centralized platform to store your funds).
In that way, there’s no single point of complete failure. If something unfortunate is to happen to one of the platforms, at least you won’t lose all your funds!
Be careful with Ads
Users often have the notion that ads (e.g google and Facebook ads) should be legit since they’ll pass through Scam filters. Unfortunately, a lot of scam platforms bypass these filters and are fed to you.
You should never assume that an Ad is legit. Scrutinize every Ad as you would with a DM(especially ads offering wallets or some form of rewards/giveaways).
If you have even the slightest doubt, stop! and confirm!
I simply can’t stress this enough. If you feel anything looks off about a message or platform. Just stop and take a few minutes to verify the legitimacy of that platform.
This might take your time. Sometimes those platforms might actually end up being legit. But it’s better to lose 15 minutes of your time than to lose all your funds.
Scrutinizing projects
With the gradual roll-out of Parachains, I’d suggest you always keep your eyes open and exercise detailed scrutiny of projects before taking actions that involve your accounts. Polkadot wiki has a nice article on doing your own research with regards to projects, and I highly suggest you check that out
Conclusion
In this article, I’ve walked you through various ways in which malicious users might attempt to gain unauthorized access to your account, as well as guidelines to help you keep your accounts safe from these attackers. The more of these guidelines you follow, the safer your account would be. Keep in mind that some platforms might appear illegitimate but actually end up being genuine, while the reverse may be the case for others. In essence, the safety of your account should be your top priority and you should employ whatever means you have at your disposal in order to keep malignant users out.
Stay safe!