Original author: Lisa
Original source: SlowMist Technology
background
According to our partner imToken, a new type of cryptocurrency scam has recently emerged. This scam generally focuses on offline physical transactions, using USDT as the payment method and using the Remote Procedure Call (RPC) of modified Ethereum nodes to carry out fraudulent activities.
Mischief process
The SlowMist security team analyzes this type of scam, and the specific process of the scammer is as follows:
First, the scammers trick the target users into downloading a genuine imToken wallet and use 1 USDT and a small amount of ETH as bait to gain the user's trust. The crooks will then direct users to redirect the RPC URL of their ETH to the crooks' own node (https://rpc.tenderly.co/fork/34ce4192-e929-4e48-a02b-d96180f9f748).
This node has actually been modified by the scammers using Tenderly's Fork feature, and the user's USDT balance has been spoofed to make it look as if the scammers have credited the user's wallet. As a result, the user will mistakenly think that the balance has been received when they see it. But when users try to transfer gas fees to cash out USDT in their accounts, they realize they've been fooled. By this time, the scammers had long since disappeared.
In fact, in addition to the balance display that can be modified, Tenderly's fork feature can even change the contract information, posing a greater threat to users.
(https://docs.tenderly.co/forks)
In order to interact with the blockchain, we need a way to access the web server through the appropriate generic options, RPC is a way to connect and interact with the web server and perform actions such as checking balances, creating transactions, or interacting with smart contracts. By embedding RPC functionality, users are able to execute requests and interact with the blockchain. For example, if a user uses a decentralized exchange by connecting a wallet (such as imToken), they are communicating with the blockchain server via RPC. In general, all types of wallets are connected to a secure node by default, and users don't need to make any adjustments. However, if you easily trust others and link the wallet to an untrusted node, it may cause the balance and transaction information displayed in the wallet to be maliciously modified, which may lead to property losses.
MistTrack Analytics
We use the on-chain tracking tool MistTrack to identify one of the known victim wallet addresses (0x9a7... Ce4) and can see that the victim address received the address (0x4df... 54b) 1 USDT and 0.002 ETH in small amounts.
View address (0x4df... 54b), it was found that the address transferred 1 USDT to 3 addresses respectively, and it seems that this address has been deceived three times.
Further back, the address is associated with multiple trading platforms and interacts with an address marked as "Pig Butchering Scammer" by MistTrack.
summary
The cunning of this type of scam lies in exploiting the psychological weaknesses of users. Users often only focus on whether the funds in their wallets have arrived, ignoring the possible risks behind them. Scammers take advantage of this trust and negligence to defraud users through a series of actions that make people believe to be true, such as transferring small amounts of money. Therefore, the SlowMist security team suggests that users must be vigilant, improve their awareness of self-protection, and do not trust others to avoid damage to their own property when trading.