Hackers have been observed abusing a feature in the Ethereum blockchain to trick victims into sending money.
In the last six months, the criminals were able to trick almost 100,000 people into giving away a total of $60 million, according to a new report from Scam Sniffer.
As per the report, the hackers used a function called Create2, an opcode that allows users to predict the address of a contract before it is deployed on the Ethereum network. In other words, hackers can create temporary addresses for each individual transaction – addresses that greatly resemble the ones where the victims intended to send the funds. The scheme is dubbed “address poisoning”.
Bypassing security
Most users, before sending any funds, do two things: 1) they double-check the recipient’s address to make sure they’re sending the money to the right place; 2) they send a small transaction first to make sure everything works, before sending the remaining funds. However, as the addresses are a long string of seemingly random characters, most users just cross-check the first and last few characters, instead of comparing the entire strings.
By creating an address that differs in just a few characters, the attackers can trick people into thinking the address is valid, before sending the funds. That, however, still leaves the second failsafe – the test transaction. Criminals are working around this by forwarding the test transaction to the actual address.
The lookalike addresses don’t belong directly to a wallet controlled by the attackers, but are rather a smart contract that then transfers the funds to the final destination. The researchers said they observed multiple cases of fraud leveraging Create2, with one victim losing up to $1.6 million.
Users are advised to thoroughly check the entire address before sending the funds, and not just first and last characters.
Via BleepingComputer