How Phishing Websites Look Legit and Bypass Alerts

Table of Contents
Phishing websites in the Web3 space have become increasingly sophisticated, causing significant financial losses for users. These sites trick users into signing transactions that transfer tokens to scammers' accounts. To combat this, Web3 wallets have implemented security measures, such as blacklisting known phishing accounts. However, scammers continue to develop methods to bypass these defenses. This article explores how phishing websites evade wallet security alerts, focusing on the strategies they use and how users can protect themselves.

I. Overview

Web3 Phishing

Phishing has long been a prevalent issue in the digital world, but with the advent of Web3 and decentralized finance (DeFi), phishing tactics have evolved. Web3 phishing involves creating malicious websites that mimic legitimate platforms, such as cryptocurrency exchanges or wallet providers, to deceive users into revealing their private keys or signing fraudulent transactions. These deceptive sites often have URLs and interfaces that closely resemble those of authentic services, making it difficult for users to distinguish between genuine and fraudulent sites.
Phishing attacks in the Web3 ecosystem can be particularly devastating because once a user's private key is compromised or a malicious transaction is signed, the funds can be immediately and irreversibly transferred to the attacker's account. Unlike traditional financial systems, where transactions can sometimes be reversed or stopped, blockchain transactions are final and immutable. This makes the prevention of phishing attacks crucial.

Impact on Users and the Role of Security Wallets

The financial and emotional impact of Web3 phishing attacks on users is significant. Many victims lose substantial amounts of cryptocurrency, which can amount to life savings for some. The decentralized nature of blockchain technology means there is often no central authority to turn to for help, leaving users with little recourse once an attack has occurred.
To mitigate these risks, many Web3 wallets have integrated advanced security features designed to protect users from phishing attacks. These wallets aim to create a secure environment for users to store and manage their digital assets. One of the primary methods employed by these wallets is the implementation of a blacklist mechanism. This system proactively blocks transactions and access to known phishing accounts and websites.
Security wallets like MetaMask, Trust Wallet, and others play a critical role in safeguarding users. They do this by:
1. Domain Blacklisting: Maintaining a list of known phishing websites and preventing users from accessing these sites. When a user attempts to visit a site, the wallet checks the URL against its blacklist and denies access if a match is found.
2. Account Blacklisting: Keeping a database of known malicious wallet addresses. Before a transaction is signed, the wallet checks if the recipient's address is blacklisted. If it is, the transaction is blocked, preventing users from inadvertently sending funds to a scammer.
3. Transaction Warnings: Providing alerts and warnings when a user is about to interact with a potentially malicious address or contract. These warnings prompt users to double-check the details of their transactions, adding an extra layer of security.
source: blocsec
Despite these measures, scammers continually adapt their strategies to bypass security protocols. This ongoing battle between wallet developers and attackers necessitates continuous improvements in security mechanisms to stay ahead of phishing threats.

II. Wallet Security Alert Mechanisms

To protect users from phishing attacks, Web3 wallets have implemented various security alert mechanisms. These mechanisms are designed to detect and block interactions with known phishing sites and accounts, thereby preventing fraudulent transactions. Here, we explore the different components of wallet security alert mechanisms and how they function to safeguard users.

Identifying Phishing Websites

One of the primary functions of Web3 wallets is to identify and block phishing websites. This is achieved through a combination of automated and manual processes:
- Automated Detection: Web3 wallets employ algorithms and machine learning models to scan the internet for new and emerging phishing sites. These algorithms analyze website URLs, content, and metadata to identify potential threats.
- Community Reporting: Users and security researchers can report suspicious websites to wallet providers. Once verified, these sites are added to the blacklist.

Domain and Account Blacklisting

Blacklisting is a crucial tool in the fight against phishing attacks. Web3 wallets maintain extensive lists of known phishing domains and malicious wallet addresses. These blacklists are continuously updated to include new threats. The blacklisting process involves:
- Domain Blacklisting: When a user attempts to visit a website, the wallet checks the URL against its blacklist. If the domain is found on the list, access is blocked, and the user is alerted to the potential danger. This prevents users from interacting with phishing sites that can steal their credentials or trick them into signing fraudulent transactions.
- Account Blacklisting: Similar to domain blacklisting, account blacklisting involves checking the recipient's wallet address before a transaction is signed. If the address is blacklisted, the transaction is blocked, protecting the user from sending funds to a scammer. This feature is especially important in preventing authorized transactions that might seem legitimate but are actually fraudulent.

Example of Security Systems: MetaMask

MetaMask is a popular Web3 wallet known for its robust security features. It exemplifies how wallet security alert mechanisms work in practice:
- Real-Time Alerts: MetaMask provides real-time alerts to users when they interact with potentially malicious sites or accounts. These alerts are based on an up-to-date blacklist that includes known phishing domains and wallet addresses.
- Phishing Detection: MetaMask employs advanced phishing detection algorithms that analyze user interactions and website behaviors. If a site exhibits characteristics of a phishing site, MetaMask warns the user and blocks access.
- User Education: MetaMask also focuses on educating users about phishing risks. It provides tips and best practices for safely navigating the Web3 ecosystem, such as verifying URLs and being cautious with unknown sites and transactions.

Enhancing User Security

In addition to blacklisting, Web3 wallets implement several other features to enhance user security:
- Two-Factor Authentication (2FA): Some wallets offer 2FA to add an extra layer of security. This requires users to verify their identity using a second method, such as a code sent to their mobile device, before completing a transaction.
- Secure Sign-In Options: Wallets may offer secure sign-in options, such as biometric authentication (fingerprint or facial recognition) or hardware wallets, which provide an additional layer of protection.
- Transaction Simulation: Before a transaction is signed, some wallets simulate the transaction to show users exactly what will happen. This helps users understand the potential outcomes and identify any unexpected or suspicious behavior.
These comprehensive security alert mechanisms and features are vital in protecting users from phishing attacks and ensuring the safe management of their digital assets. However, as phishing tactics continue to evolve, ongoing enhancements and user vigilance remain essential.

III. Phishing Strategies

Despite the robust security mechanisms implemented by Web3 wallets, scammers continuously develop sophisticated strategies to bypass these defenses. This section delves into the primary methods phishing websites use to evade wallet security alerts and deceive users.

Leveraging Create2 to Evade Detection

Create2 Opcode Explained
The Create2 opcode in Ethereum is a powerful tool that allows for the prediction of contract addresses before they are deployed on the blockchain. Unlike the traditional method of generating contract addresses, which depends on the sender's address and the nonce, Create2 uses a formula that includes the deployer's address, the contract's bytecode, and a salt value. This method allows developers (and scammers) to know the address of a contract in advance.
This predictive capability is particularly useful for phishing schemes. By knowing the contract address ahead of time, scammers can execute their plans more stealthily, as the address can be anticipated but not blacklisted until the contract is actually deployed.
Predicting Contract Addresses
The ability to predict contract addresses using Create2 is exploited by scammers in several steps:
1. Preparation: The scammer prepares the bytecode of the phishing contract and selects a deployer address and a unique salt value.
2. Prediction: Using the Create2 formula, the scammer calculates the future address of the contract.
3. Setup: The phishing website prompts users to send ETH or approve tokens to an Externally Owned Account (EOA) associated with the scammer. This EOA is not blacklisted because the contract does not yet exist on the blockchain.
4. Deployment: Once the user has sent funds or approved the transaction, the scammer deploys the contract using Create2. The pre-calculated address is now active.
5. Execution: The phishing contract immediately transfers the stolen tokens to another account controlled by the scammer, often through a series of internal transactions to obfuscate the trail.
Example: Phalcon Explorer Demonstration
A clear example of this tactic can be seen in an analysis provided by Phalcon Explorer. In this scenario:
- Initial Approval: The phishing website prompts the user to approve token transfers to a seemingly benign address (e.g., 0x0ddb).
- Deployment and Transfer: After the user approves the transaction, the scammer initiates a phishing transaction that consists of two internal transactions. The first internal transaction deploys the phishing contract using the predicted Create2 address. The second internal transaction immediately invokes the phishing contract to transfer the victim's tokens to another account.
This sequence allows the scammer to effectively bypass blacklist mechanisms, as the contract address only appears on the blockchain after the funds have been compromised.

Frequent Deployment of Phishing Contracts

Exploiting Blacklist Update Delays
Another strategy scammers use to bypass security alerts is the frequent deployment of new phishing contracts. This method exploits the delay between the deployment of a new contract and its detection and addition to blacklists maintained by security wallets.
Scammers deploy new phishing contracts daily or even multiple times a day. This rapid deployment ensures that at any given time, some of these contracts will not yet be blacklisted, allowing them to evade detection temporarily and trick users into interacting with them.
Example: Pink Drainer Case Study
The Pink Drainer is an illustrative example of this tactic. An analysis by Phalcon Explorer revealed that the Pink Drainer scam involved a contract with a deploy function (e.g., 0x5d77) that was invoked daily to deploy new phishing contracts. This constant creation of new contracts ensured that the phishing addresses stayed ahead of blacklist updates, making it difficult for security systems to keep up and block these contracts in time.
By frequently deploying new phishing contracts, scammers create a moving target for security systems, significantly increasing the chances of successfully deceiving users.

IV. Analysis and Implications

Effectiveness of Phishing Strategies

The strategies employed by scammers, such as leveraging Create2 and frequent deployment of phishing contracts, have proven to be highly effective. These methods exploit inherent limitations in the current security mechanisms of Web3 wallets, allowing scammers to bypass blacklists and carry out their attacks. The ability to predict contract addresses using Create2 enables scammers to prepare in advance, making their schemes more efficient and difficult to detect. Furthermore, the rapid deployment of new phishing contracts ensures that at least some of these malicious addresses remain unlisted and capable of deceiving users.

Challenges in Updating Blacklists

One of the significant challenges in combating phishing attacks is the delay in updating blacklists. Blacklists rely on the identification and reporting of malicious addresses and domains, a process that takes time. Scammers exploit this time lag to their advantage by deploying new contracts faster than they can be detected and blacklisted. This creates a persistent challenge for security wallets, as they must continuously update their blacklists to keep pace with the ever-evolving tactics of scammers.
Additionally, the decentralized nature of blockchain technology means that there is no single authority responsible for maintaining and updating blacklists. Instead, this responsibility is distributed across multiple wallet providers, exchanges, and security firms, leading to potential inconsistencies and gaps in coverage.

Security Gaps and User Vulnerabilities

The sophisticated strategies used by phishing websites reveal several security gaps and user vulnerabilities:
1. Predictive Attacks: The use of Create2 for predictive attacks exposes a fundamental weakness in the address generation process. Since contract addresses can be predicted before deployment, it is challenging to blacklist them preemptively.
2. Rapid Deployment: The frequent deployment of new phishing contracts highlights the limitations of current blacklist mechanisms. These mechanisms struggle to keep up with the speed at which new phishing addresses are created and used.
3. User Awareness: Despite the presence of security features, users remain the most vulnerable link in the chain. Many users are unaware of the risks associated with signing transactions or approving token transfers on unfamiliar websites. This lack of awareness and vigilance makes it easier for scammers to execute their schemes.
4. Automated Attacks: The automation of phishing attacks, where the entire process from deployment to fund transfer occurs quickly and without manual intervention, reduces the window of opportunity for detection and intervention.

Implications for the Web3 Ecosystem

The effectiveness of these phishing strategies has several implications for the Web3 ecosystem:
- Increased Risk: As phishing tactics become more sophisticated, the risk to users and their assets increases. This heightened risk may deter new users from entering the Web3 space, slowing the adoption of decentralized technologies.
- Need for Innovation: The continuous evolution of phishing tactics necessitates ongoing innovation in security measures. Wallet providers and security firms must develop more advanced detection and prevention techniques to stay ahead of scammers.
- Collaboration: Improved collaboration between different entities in the Web3 ecosystem, including wallet providers, exchanges, and security researchers, is crucial. Sharing information about new threats and updating blacklists in real-time can enhance the overall security of the ecosystem.
- User Education: Enhancing user education and awareness about phishing risks is essential. Users must be equipped with the knowledge and tools to identify and avoid phishing attempts.

V. Recommendations

Best Practices for Users

To protect themselves from phishing attacks, users should adopt the following best practices:
- Verify URLs: Always double-check the URL of the website before entering sensitive information or approving transactions. Look for misspellings or unusual domain names.
- Use Trusted Wallets: Use reputable wallets with robust security features and keep them updated to benefit from the latest protections.
- Enable Two-Factor Authentication: Where possible, enable two-factor authentication to add an extra layer of security to your accounts.
- Be Cautious with Approvals: Be wary of approving token transfers or signing transactions on unfamiliar websites. Verify the legitimacy of the site and the transaction details.
- Educate Yourself: Stay informed about the latest phishing tactics and security best practices. Follow trusted sources for updates on new threats and protective measures.

Verifying Transaction Details

Before signing any transaction, users should:
- Review the Recipient Address: Ensure that the recipient address matches the intended destination.
- Check the Amount: Verify that the amount being sent is correct.
- Understand the Transaction: Be clear on what the transaction entails. If something seems off or unexpected, investigate further before proceeding.

Summary of Findings

- Phishing tactics in the Web3 space are becoming increasingly sophisticated.
- Create2 allows scammers to predict contract addresses, making it easier to bypass blacklists.
- Frequent deployment of new phishing contracts exploits the delays in blacklist updates.
- Users remain the most vulnerable link and need to be more vigilant and informed.
- Collaboration and innovation in security measures are crucial to combating these threats.

Future Trends and Security Enhancements

Looking ahead, several trends and potential security enhancements could help address the challenges posed by phishing attacks:
- AI and Machine Learning: Leveraging AI and machine learning to detect phishing attempts more accurately and swiftly.
- Decentralized Blacklists: Developing decentralized blacklists that can be updated in real-time by multiple entities, enhancing the speed and coverage of phishing protection.
- Advanced User Education: Implementing more comprehensive educational programs and resources to help users recognize and avoid phishing threats.
- Improved Transaction Simulations: Enhancing transaction simulation features to give users a clearer understanding of the potential outcomes of their transactions.


Phishing websites in the Web3 space pose a significant threat to users, exploiting sophisticated strategies to bypass security mechanisms. By understanding these tactics and adopting best practices, users can better protect themselves and their assets. Continuous innovation and collaboration within the Web3 ecosystem are essential to staying ahead of scammers and ensuring a secure environment for all users.

About Orochi Network

Orochi Network is a cutting-edge zkOS (An operating system based on zero-knowledge proof) designed to tackle the challenges of computation limitation, data correctness, and data availability in the Web3 industry. With the well-rounded solutions for Web3 Applications, Orochi Network omits the current performance-related barriers and makes ways for more comprehensive dApps hence, becoming the backbone of Web3's infrastructure landscape.
Event Recap
Monthly Report
Verifiable Random Function
Zero-Knowledge Proofs
Top Posts
Partnership Announcement
Layer 2
Event Recap
Immutable Ledger
Verifiable Random Function
Zero-Knowledge Proofs
Multisignature Wallet

Orosign Wallet

Manage all digital assets safely and securely from your mobile devices

zkDatabaseDownload Orosign Wallet
Coming soon

zkOS for Web3

© 2021 Orochi