How to identify fake websites?
On May 29, 2021, a user reported to imToken that over 500,000 USDT worth of assets in his wallet had been stolen. He searched “imToken” on Baidu and clicked a link to a fake website, which led to the download of a fake wallet APP and the loss.
After investigation, imToken discovered that scammers had purchased search terms and Ad space on Baidu. Whether searching for imToken, Mathwallet, TokenPocket, or MetaMask, the results showed that the first to third ranked sites were all scam sites where fake wallet APPs would be downloaded.
imToken has contacted Baidu to take down the scammer ads, while continuously collecting evidence to help the police block these fake websites and arrest the scammers.
Though the scammer ads have been taken down as of this writing, some of the fake websites are still there.
Here are some tips to protect you from scams:
- Add commonly used websites to your browser favorites.
- Double check the project information on different channels: When learning about a project, you can start by searching for information on Wechat, Weibo or Twitter, etc. The cost for scammers to maintain multiple platforms is much higher than making a fake website alone. And these platforms usually have links to the real official website.
- Ask a trusted friend around you: Ask someone who has basic knowledge of blockchain and who you are familiar with in real life. Do not ask in WeChat groups or Telegram, where you can easily be scammed.
- Fake websites generally do not support multiple languages. Even if they do, their translations are done by software and cannot be as subtle as the official websites, which are translated by human translators.
- Tell your friends the tips above to build "herd immunity".
Scams: What are they & How to avoid them
QR code phishing
The scammer induces a user, who has 1,000 USDT, to scan a QR code to transfer 1 USDT. After a while, the user finds out that the remaining 999 USDT have been transferred to the scammer’s address without his signature.
Scammers currently thrive on Tron, airdropping tokens such as OZBT, AAMT, FIL, etc. to users. The information contained in the token airdrop informs the user that they can exchange these tokens for TRX on the official website.
When you swap tokens in the scammer's exchange, you are actually tricked into transferring TRX, USDT, etc. to the scammers’ address.
Fake decentralized wallet
Some centralized wallets disguise themselves as decentralized wallets, lure users into creating or importing private keys in their wallets, and upload the private keys to servers to steal users' money.
Why do we write this security newsletter?
From January to June 2021, imToken received 430 reports of scams, a 35% increase compared to the first half of 2020. In May this year, 6 tokens and 4 addresses were marked as risky by our security team. Meanwhile, imToken blocked 54 risky DApp websites and released imToken 2.9.2 with updated DApp browser security risk control. You can refer to this blog for more details.
By exposing these scams, imToken wants to prevent users from being scammed. We also hope you can share this newsletter with your friends to build “herd immunity”.
If you spot any attempted or successful website scams, please report to us by sending an email to firstname.lastname@example.org.