Phisher Watch: Airdrop Scams
As cryptocurrency has grown, its users have become an increasingly hot target for phishers. Each time we make one type of phishing harder, the phishers come up with new techniques, and so it’s in everyone’s best interest to stay aware of the latest scams, and consider how you can keep yourself (and friends and users) safe from these attacks.
One approach that has been growing in popularity lately is what we’re calling “Airdrop scams”. A typical airdrop scam involves minting a new malicious token, sending it to user accounts, and relying on users investigating what this mysterious token is to phish those users.
You can see a video exploration of one such scam here:
Users that rely solely on MetaMask for their token holdings are not prone to this attack, because MetaMask has always held a firm line on not auto-detecting unknown tokens, and we only detect tokens that meet a high bar of credibility, as we’ve long recognized this is a strategy to attack and confuse users.
The problem starts when users are looking around other sites and wallets that show any token on the blockchain by the name that the token’s author has chosen. Sometimes these other wallets or block explorers will even optimistically render a value for that token, based on an easily faked liquidity position on an Automated Market Maker (AMM) exchange. These tokens however do not behave like normal tokens, and when those users try to swap them, they throw an error (whose text is also provided by the malicious contract author), which directs the user to a phishing site for help, where they are phished.
This attack relies on several user behaviors:
- Users checking block explorers for token balances.
- Block explorers auto-detecting and displaying any token that is minted at all (even though anyone can mint a token “named” anything, and the token name imbues no security at all).
- Users expect that a detected token has value, or sites optimistically rendering AMM prices as a price oracle.
- Users investigating automatically detected tokens.
- Users then trust their investigations, and approve transactions, or even give their secret recovery phrases to the sites associated with those tokens.
- Users looking to see why the transaction failed, and believing the error message presented to be representing credible information.
Token auto-detection is a tricky situation. MetaMask has had a conservative approach to token detection, because we’d rather make a user have to add a token themselves than be exposed to a phisher’s token, but if a user relies on even a single mass-detecting token list, they are making themselves prone to this kind of attack.
MetaMask has been working on making token detection more effective and trustworthy, aggregating our auto-detection list from multiple sources, and also proactively blocking known scams, and are working towards also allowing users to more easily subscribe to (and share) their own trusted token lists.
While trusted lists may be a long-term solution, in the meanwhile we have many tools (especially block explorers, and also some wallets) that are extremely eager to detect any token that is air-dropped. This can result in phishing, annoyance, and unsolicited messages. In the short term, it would be valuable if all tool developers took this kind of attack more seriously, and consider the risks that we’re exposing users to when automatically detecting unfiltered blockchain activity.
As the decentralized web scales, auto-detection of all assets will become less and less sustainable, and so there is both a security and scalability problem with the modern expectation. The idea that a single global feed should be perfectly curated is a very Web2 way of thinking, and we think that it’s critical that we start recognizing the ways that unfiltered feeds expose us all to coordinated attacks from untrustworthy sources.
Web3 is all about building better ways of doing things. This can sometimes mean that some of the new ways feel high-friction, like managing account backups, or manually subscribing to tokens, but it’s these acts of user responsibility that enable decentralizing power away from any central party, and across the web of users.
I hope you’ll be careful out there when looking at any source of global data, and always consider “what did it take for someone to produce this?”. Oftentimes, there’s nothing stopping a scammer from putting whatever they want in front of your eyes.
Stay safe out there!
