A phishing website posing as the Ethereum search tool Etherscan has been spotted on search engines DuckDuckGo and Bing as one of the first Etherscan search results.

Scam Sniffer flagged the Etherscan phishing site today and warned users on X (formerly Twitter) that, “Your assets could be at risk from a simple mistake. Stay safe and alert!” 

The phishing site utilizes the same logo as Etherscan and describes the basics of the tool. DuckDuckGo and Bing also list the phishing site as the second search result just below the legitimate Etherscan site.

The fake site can be spotted by the extra dash in its web address which rewrites “etherscan” as “et-herscan.”

Scam Sniffer told Protos that the site uses a crypto phishing kit called “Angel Drainer” which was previously deployed in a “supply chain attack on Ledger’s frontend components.”

Read more: Ethervista ‘unconsciously hacked’ hundreds of times by bot

The security firm also highlighted the problem of phishing websites and noted that someone lost almost $521,000 to a fake permit signature crypto scam. On the other end of the scale, the FBI reported this week that crypto scams and fraud made over $5.6 billion in 2023, a 45% increase from the year before.

Crypto exchange OKX and AI blockchain security firm Veritas Protocol also warned users to make sure they identify websites properly. Veritas Protocol said, “Phishing sites can look very convincing, and it’s easy to make a mistake” 

“Always double-check URLs before clicking, especially when handling crypto assets. Stay safe out there and always verify that you’re using the official site!”

Update September 11, 14:39 UTC: Included details about the type of crypto drainer Scam Sniffer found in the fake Etherscan site.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post DuckDuckGo and Bing users warned of Etherscan phishing website appeared first on Protos.

Last year, Etherscan admitted a big problem with how it labels token transfers, namely that ‘From’ labels are easy to spoof.

Spoofing is when someone disguises a sender’s information to fool victims into believing that they’re interacting with a trusted source. Spoofed ERC-20 token transfers look similar to legitimate ones, with names and symbols that look identical to their legitimate counterparts. However, they involve a completely different token.

Often, the contract address and the date on which the token was first minted are the only ways to distinguish between the real and spoof transfer.

A common tactic adopted by scammers is to promise an airdrop and then disappear with victims’ ETH once they’ve purchased the fake token. Besides stealing ETH, scammers can use spoof tokens to redirect investors to phishing sites and steal funds after they authorize access to their MetaMask.

In other cases, traders will tag an address belonging to a whale or influencer whom they believe can be trusted. Falling for the spoof, these traders will notice that the address seemingly participates in a transaction involving a brand-new token. These traders might buy that token thinking it might be up-and-coming and subsequently lose all their money. 

In addition, it’s possible to spam Etherscan’s token transfer section using fake or worthless token transfers to drown out any attempt to read a wallet’s legitimate activities.

“Any arbitrary address to be the sender”

To be clear, spoofers can make almost any wallet on Etherscan appear to have sent a token, even if its owner didn’t make a transfer. As Harith Kamarul wrote on Etherscan’s own blog, “The ERC-20 standard transfer and ‘transferFrom’ functions can be modified to allow any arbitrary address to be the sender of tokens, as long as this is specified within the smart contract, resulting in a token being transferred from a different address than the one that initiated the transaction.”

Etherscan recommends savvy researchers verify token transfers by inspecting information associated with the transaction hash. In a typical spoof, the ‘From’ address that appears to have initiated the transaction will not be the same as the actual ‘From’ address for the token transfer.

Read more: Explained: Why Interpol is policing the metaverse

Etherscan flags some of the most obvious spoofs

Etherscan has been trying to clean up spoofing and spam. For instance, there’s at least one token that Etherscan now recognizes as a fake zkSync token. The spoofers behind it used the ‘transferFrom’ function to try to fool people into thinking Vitalik Buterin had received and sent that token.

Etherscan has also added a public name tag to addresses used by verified dApps that often send legitimate bulk token transfers.

Etherscan is also working on a Token Ignore List, which can hide ERC-20, ERC-721, and ERC-1155 transfers and balances. Users can also opt into ignoring any tokens that Etherscan has flagged as suspicious or fake.

Etherscan is still unable to entirely prevent spoofed token transfers from displaying on Ethereum’s most popular block explorer. Indeed, avoiding spoofing requires a closer inspection of each transaction hash to verify token transfers that appear to come from well-known influencers like whales or even Buterin himself.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on Twitter, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Here’s how Etherscan says token transfers can be spoofed appeared first on Protos.