- EtherScan has received reports of phishing popups via a 3rd party integration, and so they have advised its users not to confirm any transactions that pop up on its website.
How did the Attack Occur?
It was caused by a malicious HTML5 banner Ad Script, which was served by CoinZilla, a popular crypto ad network that is used by a lot of crypto sites. Here is the link to the malicious code used in the scam: https://gist.github.com/ivigamberdiev/9705621088359bd1a7cceca53608875f. The attacker wanted to get tokens approvals or perform swaps through DEXes to their address. We would like to credit Igor Igamberdiev for this information.
A single campaign containing a piece of malicious code has managed to pass CoinZilla’s automated security checks. It ran for less than an hour before the CoinZilla team stopped it and locked the account. Users who use CoinGecko and DEXTools also have seen the same Ad. Below is the screenshot of the same phishing Ad.
In the screenshot below, we can see where the ad above links to an iframe that loads the malicious Attack. We would like to credit Jon_HQ for this information. If someone has interacted with the signature request, revoke access with http://revoke.cash. Users can also use ad blockers like uBlock Origin, AdLock, and AdBlock Plus.
According to Doyler NFT, after we sign the message, it will then ask for spender approval for either ETH, BSC, CRO, or FTM. It will only ask for these approvals if the amount in our wallet is greater than the threshold amounts. Below is the same screenshot for the thresholds required.
If someone wishes to have fun with the attacker, Doyler NFT has shared the attacker’s Infura API key screenshot.
What was the Team’s Response to the Attack?
The CoinZilla integration was immediately disabled by Team as soon as they were notified of this scam. CoinZilla team has also fixed this issue on their end. EtherScan Team is now monitoring this situation since they have not seen any new reports.
CoinZilla team has also added additional verifications to ensure the security of users seeing their ads. The Team will also ensure that the ad codes will be cleaned from any 3rd party scripts. Furthermore, they will be closely working with their publishers to offer support to affected users and identify the person behind the Attack.
So we want to advise our readers that many scammers are out there in full force. So users should always be highly suspicious when connecting their wallet to a website, and they should never type their seed phrase. Users should always make sure that they are on the correct URL, and they should never confirm random transactions. Also, they can use a cold wallet for better security,