Preface

Since the beginning of this year, imToken has received numerous user reports of wallet addresses falling victim to "address phishing" attacks. In these attacks, scammers employ various tactics to deceive users into voluntarily transferring funds to them. Let's take a closer look at the tricks scammers use and work together to expose these scams!

Address Phishing Tactics

Transaction Phishing

"Address Phishing," in addition to what imToken previously disclosed as the "Same-Ending Digits Address Scam" involves sending small transactions to users' addresses using addresses with the same ending digits, creating confusion in transaction records and leading to mistaken transfers. Recently, the imToken security team has observed scammers increasing their investment in this tactic. As shown in the following image, the scammer invested 3 USDT to conduct a phishing attack and succeeded in the end.

imToken Security Team Reminder

  1. When making a transfer, please do not simply copy the address from your transaction history.
  2. After entering the recipient's address, meticulously cross-check each character to ensure the address is entirely accurate.

Clipboard Phishing

Bob encountered a strange incident where he successfully made a transfer, but his friend on the other end didn't receive the funds for a long time. After careful examination with his friend, they discovered that the recipient's address was not actually his friend's address; it was only the last few digits that matched. What puzzled Bob even more was that this address was sent by his friend through a chat application just moments ago, so there shouldn't have been any issues. Perplexed, Bob contacted the imToken team.

During communication with the imToken security team, Bob mentioned that he had downloaded Telegram from a random source he found on Baidu. As it turns out, Bob was using a counterfeit chat application, and this app had invaded his phone's clipboard, granting the scammer access to read and modify the clipboard's contents. Anything copied by the user would be obtained by the scammer, who could also alter the clipboard's content.

When the user copied a wallet address, the scammer would replace it with their own wallet address, further enhancing their phishing success rate by employing the "same-ending digits strategy."

For example,if you copied the address

  • TRNvRJT2zvdRHzgvM2Rnrtr3ANaT8b2XEQ

However, when pasted, it turns out to be

  • TY7976avKs8EbdsqFMbNButNEwDcQp2XEQ

Scam Reenactment Video from CN User:https://tieba.baidu.com/p/8179666515

imToken Security Team Reminder

  1. Please be sure to download from official sources and avoid installing applications of unknown origin.
  2. Manage your device's app permissions effectively by revoking unnecessary permissions in the device's app management settings.
  3. When making transfers, it's essential to double-check critical information such as the recipient's address and the transfer amount.

OTC Scam Phishing

Scammers often use enticing phrases like "selling at a low price" or "buying at a high price" for tokens to lure you into engaging in private transactions.

For example, let's say Bob was approached by a scammer on Telegram who offered to purchase ETH for $2,000, claiming an urgent need. Bob thought, "The current ETH price is only $1,600; this is a great opportunity to make some money!" He then contacted the scammer, expressing his willingness to sell ETH and provided his USDT deposit address on the exchange.

  • TRNvRJT2zvdRHzgvM2Rnrtr3ANaT8b2XEQ

The scammer initially sent a small amount of USDT to Bob's address to ensure its correctness.

After gaining Bob's trust, the scammer provided proof of the 2000 USDT transfer through screenshots and urged Bob to promptly send him the ETH. Although Bob didn't see the USDT credited to his account on the exchange for a while, the scammer provided transfer screenshots, and Bob, through Tronscan, found a 2000 U record under "his own address." Consequently, he mistakenly believed that the funds had arrived but were delayed in appearing on the exchange.

As a result, once the scammer received the ETH, they immediately cut off contact and disappeared, leaving Bob in a state of confusion.

But why did Bob see a 2000 U record under "his own address" on Tronscan yet not receive the tokens?

Well, it turns out that when the scammer sent Bob the initial small amount of USDT, they conducted a total of 2 small USDT transfers.

  • One of the transfers was genuinely sent to Bob:TRNvRJT2zvdRHzgvM2Rnrtr3ANaT8b2XEQ
    • This transfer will be received by the exchange and credited.
  • The other one was sent to their own address:TY7976avKs8EbdsqFMbNButNEwDcQp2XEQ
    • This transfer was to the scammer's own address, intended to deceive Bob by having the same ending digits.

The subsequent transfer of 2000 USDT by the scammer did indeed occur, but it was merely a transfer from one of the scammer's own accounts to another and did not go to Bob's address. Due to Bob's lack of careful information verification during the transaction with the scammer, he mistakenly believed that these tokens had entered his own wallet address.

imToken Security Team Reminder

  • Do not engage in private transactions of tokens with strangers; it's advisable to trade on reputable platforms like Binance, OKEx, and others.
  • Stay vigilant at all times, and if you encounter any issues, you can inquire with us by opening "My profile" - "Help & Feedback" within the imToken App.

Risk Control

In August, imToken identified a total of 7,144 risky tokens, banned 1,395 risky DApp websites, and marked 447 risky addresses. 

Additionally, if you come across tokens or DApps that appear to be risky, please promptly provide feedback to us at [email protected] to help prevent asset losses for other users.

Closing Thoughts

With scams continually evolving, it is indeed challenging for average users to fully prevent them. imToken is committed to rapidly detecting issues and finding solutions, providing timely messages to the community, and educating users about various types of scams to protect them from losses.

We encourage you to read and share imToken Wallet Security Monthly Report and join hands with imToken to safeguard your asset security.