At bZx, we’re committed to ensuring the safety of user’s funds and while the team has been working diligently to tackle the problems exposed by the recent attacks on Fulcrum, users have made us aware of a different set of issues we would like to address.
Fake websites and accounts on communications channels set up to impersonate team members and steal digital assets or private keys continue to be two of the most common problems raised by members of our community.
To address these issues, we’ve put together a primer on how to spot these attacks and what you can do to avoid falling victim to them.
Can you tell what’s wrong with the following picture?
The picture looks just like the Fulcrum website but one key issue could mean the difference between using Fulcrum and getting hacked.
Don’t worry if you missed it: instead of being spelled with a lower-case “L,” this URL is spelled with an upper-case “i.”
Attackers commonly find ways to direct people to their websites using creative misspellings of URLs to deceive victims about their actual destination. Another common example would be when attackers substitute the number “0” for the letter “O,” or vice versa.
The attacker’s website will look just like the site the victim believes they’re going to and in some instances, the fake site will even work in the same manner as the original.
Behind the scenes, however, the site will collect private keys from users and eventually steal all of their funds at the same time or have users send funds to a wallet controlled by the hacker.
How to stay safe
One easy way to avoid this problem is to bookmark the websites you know to be legitimate and avoid navigating to them using links from emails, social media, or other websites.
You can also look for an SSL Certificate indicating the establishment of an encrypted link behind the website and your browser. Fraudulent websites may or may not come with their own SSL Certificate but those that don’t are not legitimate and should be avoided.
Using the same example as before, notice how the URL with the upper-case “i” has an Earth image next to it. Websites with a valid SSL Certificate will have a lock like the image to the right.
If you’re ever in doubt, http://fulcrum.trade, http://app.fulcrum.trade, and http://torque.loans are the ONLY official sites for accessing bZx products and a list of approved interfaces can be found at http://bzx.network/ecosystem.
Phishing (and how to avoid the bait)
Scammers may also use creative misspelling to make accounts allowing them to pose as influential individuals on platforms like Telegram, Discord, and Twitter.
The attacker will often claim to have suffered some misfortune or received the offer of a lifetime. Either way, there’s a problem and to solve that problem, this individual needs you to lend them some cryptocurrency.
Here’s an example of a scammer posing as a friend of the recipient claiming they need a loan to cover an “OTC client” - a not-so-subtle attempt at making the recipient think there could be big money on the line.
Due to the fact that many messaging sites allow users to set their own display name, in many cases attackers don’t even need to use creative misspelling in their attempts to deceive others.
They can easily copy and paste the pictures and bios of influential people to try and lend credibility to their account.
In the example above, the would-be attacker posed as a friend of the recipient using their actual name.
How to stay safe
In many cases, a healthy dose of skepticism should be enough to avoid falling victim to phishing attacks. If someone contacts you from a different account than normal, using a different platform than they would usually use, or in a way that just seems fishy, be careful!
If someone reaches out appearing to be from a particular project, reach out on their official communications channels to double-check whether or not the person is who they say they are.
Always double-check the username instead of relying on display names to identify individuals on messaging platforms.
If you know the person, call them or reach out on a channel you’ve already established and know to be safe to confirm their identity.
No legitimate member of any legitimate project will randomly reach out online with a situation that would legitimately require someone to send funds or reveal their private key.
In the example above, notice how the recipient claimed not to be holding/hodling a significant amount. Whether true or not, hodlers should always avoid disclosing their holdings if it isn’t necessary to avoid becoming the target of this type of attack.