The Industrialization of Phishing Attacks: Unveiling the Scam-as-a-Service Ecosystem in the Encryption World

In the third quarter of 2024, phishing attacks have become the most damaging attack method, with over $243 million gained from 65 attack actions. Security teams analyze that the recent surge in phishing attacks may be related to the notorious phishing tool team Inferno Drainer. This team had announced its "retirement" at the end of 2023, but now seems to be active again, carrying out a series of large-scale attacks.

This article will analyze the typical methods used by phishing attack groups and detail their behavioral characteristics to help users improve their ability to recognize and prevent phishing scams.

Scam-as-a-Service concept

In the encryption world, phishing teams have invented a new malicious model called Scam-as-a-Service. This model packages scam tools and services, providing them in a commoditized way to other criminals. Inferno Drainer is a typical representative in this field, with scam amounts exceeding $80 million from November 2022 to November 2023.

Inferno Drainer provides buyers with ready-made phishing tools and infrastructure, including phishing website front and back end, smart contracts, and social media accounts, helping them to quickly launch attacks. Phishers who purchase the service retain most of the ill-gotten gains, while Inferno Drainer charges a commission of 10%-20%. This model significantly lowers the technical threshold for scams, making cybercrime more efficient and scalable, leading to a proliferation of phishing attacks in the encryption industry.

Scam-as-a-Service Operating Mechanism

Phishing attackers cleverly induce users to perform unsafe actions by designing malicious front-end interfaces and smart contracts. They typically guide users to click on malicious links or buttons, deceiving users into approving hidden malicious transactions, or even directly tricking users into revealing their private keys. Once users sign these malicious transactions or expose their private keys, attackers can easily transfer the users' assets to their own accounts.

Common phishing methods include:

1. Counterfeiting well-known project frontends: Attackers meticulously imitate the official websites of well-known projects, creating seemingly legitimate frontend interfaces.

2. Token Airdrop Scam: Promoting opportunities like "free airdrops", "early presales", and "free NFT minting" on social media to lure victims into clicking links.

3. Fake hacking incidents and reward scams: Claiming that a well-known project has suffered a hacking attack or asset freeze, and is compensating or rewarding users.

The Profit Distribution Mechanism of Inferno Drainer

Inferno Drainer creates a loot-sharing contract using CREATE2, leveraging Permit2 to transfer the victim's tokens and complete the loot-sharing with the buyer. In a typical case, the buyer receives 82.5% of the loot, while Inferno Drainer retains 17.5%.

Simple Steps to Create a Phishing Website

With the help of Scam-as-a-Service, attackers can easily create phishing websites:

1. Enter the communication channel that provides services and use simple commands to create free domain names and IP addresses.
2. Select one from the provided template for quick installation.
3. Wait for the victim to enter the website and connect their wallet.

The entire process only takes a few minutes, greatly lowering the technical barrier for attackers.

Prevention Suggestions

To prevent such attacks, users should:

• Do not believe in any "pie in the sky" promotions.
• Carefully check the URL before connecting your wallet, and be wary of websites that imitate well-known projects.
• Protect your mnemonic phrase and private keys, and be cautious when signing and approving transactions.
• Pay attention to the warning information issued by security agencies and take protective measures in a timely manner.

The industrialization trend of phishing attacks highlights the security challenges faced by the encryption world. Users must remain highly vigilant, and project parties should also strengthen security measures to jointly maintain the healthy development of the encryption ecosystem.