DETECT PHISHING EMAILS, FAKE SIGNATURES, SCAM SITES AND TRANSACTION SPOOFING

First, a huge shout-out to the https://theredguild.org/ team for what they are doing.
These guys have amazing stuff for all of us working in Web3. Either you are a Dev, a Security Researcher or a CEO, you must have a look at what they are doing.

• Check-out their blog.
• Their Phishing Dojo.
• Their Security Toolkit.

My Walkthrough On The Phishing Dojo

I recommend you to do it on your own first, then to read my walkthrough. Do not feel ashamed if you fail, the goal is to learn from our mistakes and avoid falling into traps in the real world.

➡️ Here is the Phishing Dojo.

1. Which of these emails in your inbox is phishing?

What is important here is to look at the “from” section in the headers of the email.

Let’s list all the senders for those 4 emails:

• support@traqc.zendesk.com
• ticketing@devcon.org
• noreply@rgmgt-help-security-x.com
• no-replydm@ens-kqks3naush2.com

First thing I noticed is: traqc.zendesk.com, rgmgt-help-security-x.com and ens-kqks3naush2.com do not redirect to any website.
How did I do it? I just copied / pasted the domain as an URL.

However devcon.org has it’s webpage, that one could be legit.

Another thing is these 3 emails seem to be coming from BIG known companies: X, Metamask and ENS.

We could have further investigated by checking if these domains were part of the principal domains. Exemple: X domain is x.com, but in our case the ‘X’ email comes from: rgmgt-help-security-x.com which is NOT part of x.com.

Reminder: subdomains are

*.yourdomain.com

not anything-yourdomain.com

VirusTotal or other online and offline tools allows you to find subdomains.

Another tip that must create an alert in your mind is ANY email asking your credentials, it must be considered suspect no matter its topic. “Secure your account”, “Update your profile” and many more are well known techniques for attackers.

The answer here is: D) All except the second.

2. You received an email for an upcoming workshop of The Red Guild. Is it a legitimate email?

In our mailbox we have 2 emails here, let’s check the sender again. The question asks us to focus on one supposed to be from The Red Guild.

It’s almost impossible to see the trap from here..

Let’s then copy and paste it in our URL web browser. This is how we detected the trick and identified 2 ‘ii’. Yes, ‘I’ and ‘l’ are very similar.

The answer here is: B) No.

While here the name was almost the same, what I recommend is to always check the email headers to see who is the REAL SENDER. The ‘from’ in an email can be spoofed from a legit domain when the domain is not properly protected.

3. You received an email from an Ethereum Foundation’s team. Is it malicious?

While the domain is legit (probably Spoofed), the content is asking you to take actions and this is what is dangerous.

Just because of this you should consider it as malicious and further investigate.

Reminder: Attackers want you to do unintended actions to gain access to your account or computer. Today’s most phishing campaigns contain malicious PDFs, redirect to malicious web pages, contain malicious links etc.

The answer here is: A) Yes.

4. A promising investor, whom you’ve met already, has sent you the last meeting’s notes. What do you do?

As we just said for the previous question, play it safe. Don’t be paranoid but never take fast actions or decisions. Attackers nowadays use such techniques to make you act fast, don’t fall into such traps “Secure Your Account Right now”, “Security Incident” etc.

The answers here are: B) Don’t download the notes. C) Forward the email to a security expert. D) Suspect any future interactions with the investor.

5. What’s suspicious in this airdrop site?

The timer wants you to take a fast action: first red flag.

The ‘Claim airdrop now’ leads here and asks for your private key…

No one should be asking you for your private key, not even Binance or Metamask Support.

The answers here are: A) It’s rushing me to take actions D) It’s asking for my private key.

6. Is this a phishing site?

Attackers do not miss opportunities to release phishing campaigns.

During Devcon I have heard about many cases like this one (even for side events).

Here the domain: ethereum-devcon.org is not part of devcon.com and they want you to sign in with your wallet BIG RED FLAG. In such scenarios you can investigate the domain and find information like when it was registered etc (whois, Virustotal).

The answer here is: A) Yes.

7. If this is a phishing site, then what’s the phishing transaction attempting to do?

Same email, let’s try to follow the steps to understand what’s going on.

I looked on Etherscan what was the address supposed to receive the funds and it was a DAI Smart Contract.

Using Chatgpt I was able to see exactly what was happening with this encoded function call.

This transaction allows the specified address (0x3c0C443eD1450AeC31Bd17C3f51E6A4E9eC8c546) to spend tokens on my behalf, up to an unlimited amount…

The answers here are: A) Interact with the DAI Smart Contract C) Approve an attacker to spend all my DAI.

8. Is this a phishing site?

Let’s try to swap a minimum amount.

This is sending my DAI to the same contract in the previous question.

This website didn’t look like usurping a company identity but we couldn’t find any other link to more resources it was suspicious (Github, X, Linkedin, Blog, other websites).

The answer here is: A) Yes.

9. If this is a phishing site, then what’s the attacker intending to do?

As we saw from Metamask transaction details, the answer was:

C) Make me sign a message to spend my DAI.

10. You and a friend sent each other some ETH. What’s suspicious in these transactions in your account?

Some TRANSFER transactions have 0 ETH. It’s suspicious.

Let’s have a closer look at who is making the transaction.

While the first and last characters of these addresses are the same making them look similar they are different.

The answers here are: B) There’s an incoming transaction right after I sent some ETH C) Some sender addresses look like the first transaction’s recipient D) There’re incoming transactions with 0 ETH.

11. Now select all transactions that are spoofing addresses.

Spoofing transactions are the ones made with 0 ETH.

The answers here are: A) 0xebbe88e177585… D) 0x5d52f1c0875bf...

12. We’ve added one last transaction you executed. Did you fell for the address spoofing attack?

Looks like the recipient of the last transaction is not the one I originally interacted with.

The answer here is: A) Yes.

13. What’s suspicious in these transactions in your account?

In the ‘Token Transfers (ERC-20)’ section, lookalike addresses are used to try to Spoof addresses.

The answer here is: B) Some are attempting to spoof addresses.

14. You were targeted after making a test transaction of 1 USDC. Which transactions spoofed the recipient’s address?

After the initial transaction of 1 USDC at the bottom of the line, some transaction followed Spoofing the address recipient’s using the same previous techniques (similar addresses) and with different amounts.

The answers here are: A) 0xe0f277ca… B) 0x69e8453d… D) 0x4d537b0…

Recommendations:

Train your team to recognise and stay updated on evolving phishing tactics. Open communication and set up alerts when employees are targeted by phishing campaigns. Create a no-blame culture — if someone falls for phishing, treat it as a learning opportunity for everyone.
Prepare for phishing attempts — they’re not a question of “if” but “when.”

And have good security practices 😊.

Thanks for reading, Souilos.