By Eli Rabadon
Social engineering is the art of manipulating people to make them willingly give up confidential information and perform actions. This is one of the most effective techniques used by cybercriminals to make the victims divulge sensitive information that could be used to get additional personal data and eventually steal from the victims. This technique was used against one of Axie Infinity's personnel who was tricked into sharing his screen. With a few clicks, the scammers were able to access the account of the staff.
The attacker then created a fake Axe Infinity branded webpage and spammed the link on all of Axie Infinity’s Discord announcement channels announcing an exclusive sale. 155 players clicked on the link and attempted to buy Axies, which was a scam.
The smart contract was designed in a simple way:
The smart contract will open when users click the malicious link.
A smart contract is a computer program or a transaction protocol that is intended to automatically execute, control, or document legally relevant events and actions according to the terms of a contract or an agreement.
Axie Infinity also reminded "those who interacted with the smart contract lost the money they sent. Their seed phrases were NOT compromised. Nonetheless, we recommend that everyone who interacted with the smart contract go to https://etherscan.io/tokenapprovalchecker and revoke access to this site immediately."
Axie Infinity assured the users that the company is taking security seriously and is committed to:
- Reimbursing everyone who lost their funds due to this announcement.No need to report if you lost funds – we are scanning the blockchain directly.
- Reducing the number of people who can tag everyone on the Discord server.
- Contacting Discord and assisting them in addressing this security flaw.
- Reviewing security practices with all team members.
Here's what happened from the statement of Axie Infinity as explained by @0xInuarashi in his Twitter account.
1) Firstly, the scammer will join the server with a new, burner account (or I guess, they could be an existing account) and frame you to the mods that you are a scammer. They will send your discord ID for the mod to ban, which instead of the scammer, it's you instead.
2) Then, once you are banned from the server (because they social engineered the mod to do so), they will contact you with an impersonator of the moderator. They will contact you in order to get you unbanned but you need to prove to them that you are innocent.
3) They will ask you to remote desktop or screen share. To show that you are innocent. They will let you CTRL+SHIFT+I to view the console, and then show them your authentication token on Discord's console.
4) If you send them that, basically your account is compromised and they will be free to use your account however they want. Including scamming your own community using your account.
5) Watch out and be safe, and never let anyone open your Discord console.