Security Research

Social Engineering Bot Showcase

August 9, 2022

Social engineering and spoofing is a common problem across DeFi, everyday users experience a wide variety of these attacks. Frontends are a weak point for DeFi as they can be easily attacked and spoofed. A recent trend has been where an attacker sets up a frontend that looks identical to the spoofed project’s UI asking the user to sign a malicious contract.

This series will highlight exceptional and novel Detection Bots built by the community. Highlighting individual bot’s use cases in both generic and niche security scenarios, the Bot Showcase series is intended to demonstrate real life applications where real-time monitoring matters. Due to Forta’s modular and highly customizable nature, Detection Bots can solve a host of problems that Web3 developers face. To build your own bots, refer to Forta’s docs or try Forta’s no-code tool, Bot Wizard.

This showcase centers on the Social Engineering Bot.

Bot ID: 0xee275019391109f9ce0de16b78e835c261af1118afeb1a1048a08ccbf67c3ea8

The Problem

Social engineering and spoofing is a common problem across DeFi, everyday users experience a wide variety of these attacks. Frontends are a weak point for DeFi as they can be easily attacked and spoofed. A recent trend has been where an attacker sets up a frontend that looks identical to the spoofed project’s UI asking the user to sign a malicious contract.

The Attack Vector 

In a social engineering attack, an attacker tries to trick a user into signing transactions that give an attacker control over digital assets. E.g. an attacker could set up a contract imitating a legitimate contract to trick the user in sending funds to the attacker contract. Since a lot of wallets truncate contract addresses showing only the first and last few characters, an attacker can effectively spoof a legitimate contract by deploying an attacker contract where the first/last characters match the legitimate contract.  

The Solution

This Detection Bot monitors incoming transactions for contract creations checking the address against a list of legitimate deployed contracts. If this new contract address is similar to an existing contract address, a Forta Alert will be emitted. This means that attackers who attempt to spoof addresses with malicious contracts will be identified.

In Real Life

In June, an unverified contract asked users to approve it via a Convex Finance website. This contract was not a Convex Finance contract despite it having the same first and last four characters of the expected verified Convex contract. This unverified contract requests a signature request impersonating Convex’s contract, this is a type of social engineering attack known as ice phishing. Once approved, the impersonated contract transferred funds directly to an attacker owned address.

How the Detection Bot Works

The Social Engineering Bot detects if a newly created contract has a similar address to an existing contract. Specifically, the bot fires an alert when a contract creation is detected in which the first three and the last three characters of the contract are identical. This bot runs on all chains supported by Forta.

How you can use the Detection Bot

Protocols and individuals can subscribe to alerts from this generic bot here

Watch a Live-Code Walkthrough

https://www.youtube.com/watch?v=PYi32PMNjqc

Share