The Industrialization of Phishing Attacks in the Encryption World: Unveiling the Scam-as-a-Service Ecosystem

Since June 2024, security teams have detected a large number of similar phishing transactions, with the amount involved exceeding 55 million USD in just June. As we entered August and September, related phishing activities became more frequent and intensified. Throughout the third quarter of 2024, phishing attacks have become the attack method causing the largest economic losses, with over 243 million USD obtained from 65 attack actions. Analysis shows that the recent frequent phishing attacks are likely related to the notorious phishing tool team Inferno Drainer. This team had announced its "retirement" at the end of 2023, but now seems to be active again, launching a series of large-scale attacks.

This article will analyze the typical methods used by phishing gangs such as Inferno Drainer and Nova Drainer, and will detail their behavioral characteristics, aiming to help users improve their ability to identify and prevent phishing scams.

Scam-as-a-Service Concept

In the encryption world, some phishing teams have created a new type of malicious model called Scam-as-a-Service. This model packages scam tools and services and offers them to other criminals in a commoditized manner, with Inferno Drainer being a representative in this field. During the period from November 2022 to November 2023, when they first announced the closure of their services, the amount scammed exceeded $80 million.

Inferno Drainer helps buyers quickly launch attacks by providing ready-made phishing tools and infrastructure, including phishing website front and back ends, smart contracts, and social media accounts. Phishers who purchase the service retain the majority of the ill-gotten gains, while Inferno Drainer charges a commission of 10%-20%. This model significantly lowers the technical barrier for scams, making cybercrime more efficient and scalable, leading to a surge in phishing attacks within the encryption industry, especially targeting users who lack security awareness.

How Scam-as-a-Service Works

A typical decentralized application (DApp) usually consists of a front-end interface and smart contracts on the blockchain. Users connect to the front-end interface of the DApp through a blockchain wallet, the front-end page generates the corresponding blockchain transaction and sends it to the user's wallet. The user then signs off on this transaction using their blockchain wallet, and once signed, the transaction is sent to the blockchain network and invokes the corresponding smart contract to execute the required function.

Phishing attackers cleverly induce users to perform unsafe operations by designing malicious front-end interfaces and smart contracts. Attackers typically guide users to click on malicious links or buttons, deceiving them into approving hidden malicious transactions, or even directly tricking users into leaking their private keys. Once users sign these malicious transactions or expose their private keys, attackers can easily transfer user assets to their own accounts.

Common methods include:

1. Counterfeit well-known project front end: Attackers meticulously imitate the official websites of well-known projects, creating seemingly legitimate front-end interfaces, leading users to mistakenly believe they are interacting with a trustworthy project, thereby lowering their guard, connecting their wallets, and executing unsafe operations.

2. Token airdrop scams: Phishing websites are heavily promoted on social media, claiming to have enticing opportunities such as "free airdrops," "early presales," and "free NFT minting," luring victims to click on links. Once victims are attracted to the phishing sites, they often unknowingly connect their wallets and approve malicious transactions.

3. Fake hacking incidents and reward scams: Criminals claim that a well-known project is distributing compensation or rewards to users due to a hacking attack or asset freeze. They attract users to phishing websites through these false emergencies, tricking them into connecting their wallets and ultimately stealing their funds.

Inferno Drainer and other SaaS tool providers have completely eliminated the technical barriers of phishing scams, offering services to create and host phishing websites for buyers lacking the corresponding technology, and extracting profits from the proceeds of the scams.

The Looting Method of Inferno Drainer and SaaS Buyers

On May 21, 2024, Inferno Drainer publicly released a signature verification message on etherscan, announcing their return and creating a new Discord channel.

By analyzing a typical transaction, we can understand how the Inferno Drainer operates:

1. Inferno Drainer creates a contract through CREATE2. CREATE2 is an instruction in the Ethereum Virtual Machine used to create smart contracts, allowing the contract address to be pre-calculated based on the smart contract bytecode and a fixed salt. Inferno Drainer utilizes this feature to pre-calculate the loot contract address for phishing service buyers, and then creates the loot contract after the victim bites, completing the token transfer and loot operation.

2. Call the created contract to approve the victim's tokens to the phishing address (buyer of the Inferno Drainer service) and the spoils address. The attacker, through phishing means, leads the victim to inadvertently sign a malicious Permit2 message. Permit2 allows users to authorize token transfers via signatures without directly interacting with the wallet.

3. Transfer different amounts of tokens to two loot addresses and the buyer to complete the distribution. In a typical transaction, the buyer receives 82.5% of the loot, while Inferno Drainer keeps 17.5%.

It is worth noting that Inferno Drainer can circumvent some wallet anti-phishing features to a certain extent by creating a contract before the distribution of spoils, as the contract has not yet been created when the victim approves the malicious transaction.

Simple Steps to Create a Phishing Website

With the help of SaaS, it has become extremely easy for attackers to create phishing websites:

1. Enter the communication channel provided by Drainer and use simple commands to create a free domain name and corresponding IP address.

2. Choose one from the hundreds of templates provided, enter the installation process, and a few minutes later, you can generate a seemingly real phishing website.

3. Find the victims. Once someone enters the website, believes the fraudulent information on the page, and connects their wallet to approve the malicious transaction, their assets will be transferred.

The entire process takes only a few minutes, significantly reducing the cost of crime.

Summary and Prevention Recommendations

The return of Inferno Drainer poses a huge security risk for industry users. Users need to stay vigilant when participating in cryptocurrency trading and remember the following points:

• Beware of "pie falling from the sky": Do not trust any suspicious free airdrops or compensations, only trust official websites or projects that have undergone professional audits.

• Check network links: Carefully check the URL before connecting your wallet, and be wary of websites that mimic well-known projects. You can use WHOIS domain lookup tools to check the registration date; websites with a registration date that is too short may be fraudulent projects.

• Protect privacy information: Never submit your mnemonic phrase or private key to suspicious websites or applications. Before a wallet requests a signature or approval for a transaction, carefully check if it involves a Permit or Approve transaction that could lead to a loss of funds.

• Stay updated on scam information: Follow the official social media accounts that regularly post warning information. If you inadvertently authorized tokens to a scam address, promptly revoke the authorization or transfer the remaining assets to another secure address.