| Authors: twitter.com/ortomichDev, twitter.com/officer_cia
Today we're going to look into a new scam method! Do not confuse it with allowance approve scam (to prevent which you can use revoke.cash / unrekt.net) which targets ERC20 tokens, but not Ethers. (1, 2, 3, 4).
In presented attack, scammers may steal your Ethers.
❗️ Please report scam here:
Use this information for educational purposes only ❗️
Prehistory
Recently in the network began to appear a large number of scam websites like you can see on video. All such sites have the same structure, which can tell us about one thing - they are all run & made by a single man or we deal with some kind of a MaaS.
When you enter the site you are then asked to sign a message, well, you sign it, because everyone knows that the simple signature of a message through the MetaMask is not terrible, and should be safe, right? But no, MetaMask warns you with an alert, but inattentive users sign the message anyway and then the most interesting thing happens - the transaction is sent to the address of the scammer with all your Ethers! Yes, with a simple message signature they can send the transaction on your behalf!
How does it work in details?
Let's not get too deep into the technical details, let's try to get as superficial and crude a handle on the matter as possible. There are different ways to sign message (for example personal_sign) and only at one of them MetaMask will warn you, it happens only in case of eth_sign, and the reason is simple string "\x19Ethereum Signed Message:\n", but how it affects so much?
First, let's understand the order in which each of these two types of signatures is signed:
eth_sign: message -> hash(message) -> JSON-RPC request -> display request -> sign request
personal_sign: message -> JSON-RPC request -> display request -> hash(message) -> sign request
As we can see, in eth_sign we have hashing first, and then "\x19Ethereum Signed Message:\n" is added, and in personal_sign we have "\x19Ethereum Signed Message: \n", and after that hashing, so in eth_sign we can pass the message with all transaction data, take out unnecessary "\x19Ethereum Signed Message:\n" and get signed transaction, which now should be sent and that's all, attack performed successfully!
Don't be afraid of all signatures
In case your signature is suspicious you will be notified by MetaMask with big red alert (like on video), in other cases message signing is completely safe action, which just confirms that you are the owner of the wallet, and site does not get any data about private keys or other secret information from you!
Here is the repository with the exploit code:
https://github.com/ortomich/scam_with_sign
Use this information for educational purposes only ❗️
References:
Use dangerzone.rocks if you are working with PDFs and please follow OpSec Guide!
• How to store crypto securely - tips from CIA_Officer
• 2 Violent attack vectors in Crypto: a detailed review
Original article: Original article!
Support is very important to me, with it I can spend less time at work and do what I love - educating DeFi & Crypto users!
If you want to support my work, you can send me a donation to the address:
-
0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A or officercia.eth — ETH, BSC, Polygon, Optimism, Zk, Fantom, etc
-
4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds - Monero XMR