Phishing Attack Industrialization: Analyzing the "Scam as a Service" Ecosystem in the Encryption World

In the third quarter of 2024, phishing attacks have become the most economically damaging attack method, with over $243 million obtained from 65 attacks. These frequent phishing attacks are likely related to the notorious Inferno Drainer team. This team had announced its "retirement" at the end of 2023, but now seems to be active again and has carried out a series of large-scale attacks.

This article will analyze the typical tactics used by phishing attack groups such as Inferno Drainer and provide a detailed list of their behavioral characteristics to help users improve their ability to identify and prevent phishing scams.

What is "Fraud as a Service"

In the encryption world, phishing teams have invented a new malicious model called "scam as a service." This model packages scam tools and services to provide them commercially to other criminals. Inferno Drainer is a typical representative in this field, having committed scams amounting to over $80 million during the period from November 2022 to November 2023 when they first announced the closure of their services.

Inferno Drainer helps buyers quickly launch attacks by providing ready-made phishing tools and infrastructure, including phishing website front and back ends, smart contracts, and social media accounts. Phishers who purchase the services retain most of the ill-gotten gains, while Inferno Drainer takes a commission of 10%-20%. This model significantly lowers the technical barriers to fraud, making cybercrime more efficient and scalable, leading to a proliferation of phishing attacks within the encryption industry, especially targeting users who lack security awareness.

How "Scamming as a Service" Works

Phishing attackers cleverly induce users to perform unsafe actions by designing malicious front-end interfaces and smart contracts. Attackers often guide users to click on malicious links or buttons, deceiving them into approving hidden malicious transactions, and in some cases, directly tricking users into revealing their private keys. Once users sign these malicious transactions or expose their private keys, attackers can easily transfer the users' assets to their own accounts.

Common means include:

1. Counterfeit well-known project front end: Attackers carefully imitate the official website of well-known projects, creating seemingly legitimate front-end interfaces that lead users to mistakenly believe they are interacting with a trusted project.

2. Token Airdrop Scams: Widely promoting phishing websites on social media, claiming to offer "free airdrops", "early presales", "free NFT minting", and other highly attractive opportunities to lure victims into clicking the links.

3. Fake hacker incidents and reward scams: Claiming that a well-known project has suffered a hacker attack or asset freeze and is now offering compensation or rewards to users, luring them to phishing websites.

The Plunder Method of Inferno Drainer

On May 21, 2024, Inferno Drainer publicly announced a signature verification message on etherscan, declaring its return and creating a new Discord channel. We analyzed the transactions of one of the phishing addresses and discovered the following distribution pattern:

1. Inferno Drainer creates a contract through CREATE2.

2. Call the created contract to approve the victim's tokens to the phishing address (buyer of the Inferno Drainer service) and the loot address.

3. Transfer tokens in different proportions to two profit-sharing addresses and the buyer to complete the distribution.

In a specific case, the buyer who purchased the phishing service took away 82.5% of the illicit funds, while Inferno Drainer retained 17.5%.

Simple Steps to Create a Phishing Website

With the help of "scam as a service", it has become extremely easy for attackers to create a phishing website:

1. Enter the communication channel provided by Drainer and use simple commands to create a free domain name and IP address.

2. Choose one from the hundreds of available templates and install it.

3. Wait for the victim to enter the website and connect their wallet to approve the malicious transaction.

The entire process only takes a few minutes, greatly reducing the cost of crime.

Security Recommendations

In the face of increasingly rampant phishing attacks, users should remain highly vigilant:

• Do not easily believe in the promotion of "picking up pies from the sky", such as suspicious free airdrops or compensations.
• Carefully check the website URL before connecting your wallet, and be cautious of websites that imitate well-known projects.
• Protect private information, do not provide mnemonic phrases or private keys to suspicious websites.
• Carefully check whether Permit or Approve operations are involved before approving the transaction.
• Pay attention to security alert information and promptly address potential authorization risks.

In the cryptocurrency world, staying vigilant and continuously learning is key to protecting asset security.