Home > NEWS > Scammers are targeting crypto users with new ‘zero value TransferFrom’ trick

Scammers are targeting crypto users with new ‘zero value TransferFrom’ trick

The trick allows the attacker to confirm zero-value transactions from the victim’s wallet, hijacking the user’s transaction history.

Statistics from Ethercan show that some login password fraudsters are targeting customers, using a new method that allows them to identify transactions in the victim's wallet without the victim's public key. Only trades with a value of 0 can attack. However, this may cause some users to accidentally push dynamic passwords to attackers due to cutting and pasting from hijacked transaction history.

Blockchain security company SlowMist saw the application of this new technology last December and revealed that in an article. Since then, both SafePal and Ethercan have adopted mitigation technology to limit its harm to users, but some customers are probably still not aware of it.

According to SlowMist's article, the scam works by sending zero token transactions in the victim's wallet to an address that appears to be similar to the address where the victim used to push the token.

For example, if the victim sends 100 coins to the savings address, the attacker is likely to send the zero coins in the victim's wallet to an address that looks similar but is actually under the control of the attacker. The victim may have seen the transaction in his transaction history and concluded that the address marked was the correct deposit address. As a result, he may send the coin to the attacker immediately.

The transaction is pushed without the user's approval.

Under normal circumstances, an attacker must have the victim's public key to push the transaction in the victim's wallet. But the role of Ethercan's "contract menu bar" shows that there are system vulnerabilities in some OTP protocols through which attackers can push transactions from all wallets.

For example, the USDC code in EtherScan indicates that the "TransferFrom" function allows everyone to move coins from another person's wallet, as long as the total number of coins uploaded by the other person is less than or equal to the amount allowed by the address user.

This generally means that the attacker cannot conduct a transaction from another person's address unless his approval is granted by the user.

However, there are system vulnerabilities in this limitation. The total number of licenses is defined as a number (called "uint256 category"), which means that they are expressed as zero unless it is professionally set to some other data. This can be seen in the role of "subsidies".

Therefore, as long as the use value of the transaction is less than or equal to zero, attackers can push the transaction from all the wallets they want without the public key or prior permission of the owner.

USDC is not the only OTP that allows this. Similar code can be found in most representative protocols. It can even be found in the examples of contracts linked to the website of the Etay Fong Charitable Foundation.

An example of a zero-value transfer scam

EtherScan shows that some wallet addresses push more than a thousand zero-value transactions from the victim's wallet every day without the victim's consent.

For example, an untested blockchain smart contract marked as a FAKE_Phishing7974 account implemented more than 80 transactions on Jan. 12, each of which included 50 zero-value transactions, with a total of 4000 unauthorized transactions in a day.

False address

A closer look at each transaction reveals the motivation for such spam messages: the address to which the attacker sends zero-value transactions is very similar to the address where the victim used to remit money.

For example, Ethercan indicates that one of the target audience addresses of the attacker is as follows:

0x20d7f90d9c40901488a935870e1e80127de11d74 .

On January 29th, this account is authorized to send 5000 USDT to this accepted address:

0xa541efe60f274f813a834afd31e896348810bb09 .

Later, FAKE_Phishing7974 immediately sent a zero-value transaction from the victim's wallet to this address:

0xA545c8659B0CD5B426A027509E55220FDa10bB09 .

The first five identifiers of the two accepted addresses are exactly the same as the last six identifiers, but the intermediate identifiers are completely different. Attackers are likely to deliberately ask consumers to send USDT to a second (fake) address, rather than the real address, and hand over their coins to the attacker.

In this case, the fraud does not seem to work because EtherScan does not show all transactions from this address to a misrepresented address established by the fraudster. But given the zero-value trading volume of the account, the plan may work in other situations.

Wallets and blockchain computer browsers may be very different in how or not to indicate bogus transactions.

wallet

Some wallets are most likely not indicative of spam transactions. For example, if MetaMASK is reinstalled, it will not indicate the historical time of the transaction, even if the account has more than 100 transactions on the traditional blockchain. This means that it stores its own trading history time, rather than obtaining data from blockchain technology. This can actually prevent spam transactions from appearing in the wallet's transaction history data.

On the other hand, if the wallet obtains the data information directly from the blockchain technology, the waste trade is likely to be displayed in the wallet display. On Twitter on Dec. 13, SafePalCEOVeronica Wong warned SafePal customers that their wallets are likely to show such transactions. To mitigate this risk, she says SafePal is changing the dynamic display of the address in the upgraded wallet to make it easier for customers to check the address.

In December last year, a client also reported that his Trezor wallet showed some fake transactions.

Cointelegraph e-mailed Trezor real estate developer SatoshiLabs for comment. In response, one person indicated that the wallet would actually get its transaction history directly from blockchain technology, "every time a customer inserts his Trezor wallet".

However, the team has taken effective measures to protect customers from fraud. In the just released update of the Trezor Suite version, the software will "identify abnormal zero-value transactions to remind users that such transactions are implicitly deceptive." The company also stressed that wallets have always indicated the integrated address of each transaction, and they "strongly urge customers to check the detailed address from beginning to end, not just the first and final character."

Blockchain practitioner

Apart from wallets, Block Task Manager is another kind of historical mobile software suitable for querying human transactions. Some task managers may, like some wallets, indicate such transactions in such a way, thus inadvertently defrauding customers.

To mitigate this threat, Ethercan has begun to gray out that zero-value OTP transactions are not initiated by users. It also uses an alarm to identify this transaction and indicates that "it initiates zero OTP migration from another address," as shown in the figure.

Other block task managers may have implemented the same processes as Ethercan to alert customers to this kind of transaction management, but some probably haven't implemented those processes yet.

Prevent "zero value TransferFrom" method hints

Cointelegraph contacted SlowMist for suggestions on how to avoid being caught up in the Zero TransferFrom scam.

A member of the company means bringing a series of tips to Cointelegraph to prevent it from becoming an attack victim:

  1. "before carrying out all transactions, it is necessary to exercise caution and authenticate the address."
  2. "use the authorization management function in the wallet to avoid remitting funds to the incorrect address."
  3. Be vigilant and aware. When you encounter any unusual transfer, please take a long time to investigate the matter rationally so as not to fall into the trap of criminals.
  4. Maintain a skeptical attitude of good health and continue to be cautious and careful.

In terms of this proposal, for login password consumers, the most important thing is to keep in mind that the address should be checked from beginning to end before pushing the login password. Even if transaction records seem to suggest that you have previously pushed encrypted messages to the address, such phenomena can be fraudulent.

by wjb news
© 2023 WJB All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Why can Bitcoin make money? Is Bitcoin's fixed investment profitable?

For some newcomers to the currency circle, they are not familiar with the investment in the currency circle, and their understanding of the special currency is not very deep. Therefore, they may be at a loss in the choice of investment methods. Many inves

VIDEO

NEWS

Tue, 18 Apr 2023

More