2025年Web3钓鱼手法解析报告

Thinking@slowmist.com & Cos@slowmist.com Web3钓鱼攻击现状与防御挑战 在Web3领域，“明修栈道，暗度陈仓”的手法被广泛运用。 表面上攻击者伪装项目方通过发布AMA、空投等活动吸引流量，实则借此 伪装身份：可能是伪装项目官方社交媒体账号，应用程序，Web站点， •欺骗用户使用钱包签名，如：授权签名，转账签名等•盗取用户账号密码，如：Telegram，Gmail，X，Discord等•盗取用户社交应用权限：如：X，Discord等•诱导安装恶意程序，如：假钱包APP，假社交APP，假会议APP等•...... 构建话术为饵料推广，诱导交互赋予故事 •社交APP：X，Telegram，Discord等•搜索引擎：Google，Baidu，Bing等•邮箱：SMTP Server(Google，AWS)批量邮件分发等•APP商城：Google Play，Chrome Store，App Store，APKCombo等 攻击者利用Web3社群在Web3社交媒体上发布诱人的Token Airdrop活 •社交平台：群聊，私信，评论留言，发tweet，打广告等•搜索引擎：SEO /打广告刷排名•APP商城：上架仿冒APP或虚假APP 黑客通过和受害者在社交平台上聊天，向用户推荐“优质”项目，引导受害者访问恶意的钓鱼站点https[:]//wasper[.]app，下载恶意的应用程序。 引导诱骗：社会工程学--让用户在无意中掉入陷阱 攻其不备：趁虚而入的时机->让目标“起心动念”•好奇/贪婪无惧卖飞的逃顶策略，不容错过潜在100倍币，今晚10点不见不散，会议链接https://us04-zoom.us/•好奇/贪婪$PENGU空投白名单不容错过，https://vote-pengu.com/•恐惧紧急告警：XX项目被黑，请使用revake.cash取消授权避免资金损失 WasabiWallet TornadoCash Monero 巧用缺陷：利用Web3钱包的缺陷 私信钓鱼：虚假人机验证bot （慢雾出品:眼见不为实｜假Zoom会议钓鱼分析） •验证官方域名•验证官方项目方社交媒体账号•通过多个可靠渠道交叉验证信息•查看社区讨论和评价•使用区块链浏览器查看合约活动•使用防御工具进行验证 HardwareWallet AVG Blockchain Dark Forest Selfguard Handbook Master these, master the security of your cryptocurrency. https://darkhandbook.io 持续关注Web3钓鱼手法 •慢雾出品：X账号安全排查加固指南 •慢雾出品：揭露浏览器恶意书签如何盗取你的Discord Token •慢雾出品：花小钱钓大鱼｜揭秘1155 WBTC钓鱼事件 •慢雾出品：黑暗“天使”——Angel Drainer钓鱼团伙揭秘 •慢雾出品:眼见不为实｜假Zoom会议钓鱼分析 •慢雾出品：警惕Web3钱包WalletConnect钓鱼风险 •慢雾出品：反向钓鱼｜揭露利用token精度钓鱼的套路 •慢雾出品：NFT防钓鱼指北：如何选择一款防钓鱼插件 •慢雾出品：“揭开”数千万美金大盗团伙Monkey Drainer的神秘面纱 •慢雾出品：Balancer.fi BGP Hijacking攻击分析 •慢雾出品：保护你的钱包！假钱包全景追踪 •慢雾出品：新型诈骗|警惕伪装成转账地址的钓鱼网址 案例1 •PhishingwebsitesstolenMnemonicPhrase. 案例1 •PhishingwebsitesstolenMnemonicPhrase. 案例1 •PhishingwebsitesstolenMnemonicPhrase. 案例2 •Approveis a commonmechanism of Ethereumsmart contracts(e.g., ofERC20, ERC721,ERC1155, etc).•Phishing websites canuseApproveto do thetokens theft attack. 案例3 •Phishing websitescan useTransferto do theETH/tokens theftattack. 案例4 •Phishing websites can useeth_signto do theETH/tokens theft attack.•eth_signis a low-level signature method ofEthereum, and MetaMask will have a red textalert.•For the user, the message is just a string of 66characters beginning with 0x.•This is a kind of blind sign. https://mp.weixin.qq.com/s/E-LSN5eYwWhCQOH46-XyNg •Phishing websites can usepersonal_signto dothe NFTs theft attack. •The root causes are:–Users signed NFT listing requests on NFTMarketplace.–Hackers phished to obtain relevantsignatures from users.–Hackers stole the NFTs of users at very lowcost. •Phishing websites can usesignTypedData_v4to do the NFTs theft attack. •The root causes are:–Users signed NFT listing requests on NFTMarketplace.–Hackers phished to obtain relevantsignatures from users.–Hackers stole the NFTs of users at very lowcost. https://twitter.com/evilcos/status/1578993566675742721 案例7 •Signature phishingagainstDAI/USDC•If signed, thehackercan obtain thesignatureresult (r, s,v values)... 案例7 •Call the DAI'spermitfunctionto completeauthorizationand coin theft: 案例8 •Phishing interactingwith upgradeTo ofOwnableDelegateProxyof OpenSeaWyvern Protocol :-( •Phishing interacting withupgradeToof OwnableDelegateProxy of OpenSeaWyvern Protocol :-(•Set a malicious implementation address.•Which givesthe hackerpermission to withdraw your NFTs. 73: PUSH20PUSH(uint160)pushes a 20-byte value ontothe stack