NOIDA: If you are also one of those people who copy and paste e-wallet addresses during fund transfers on their smartphones or computers, here’s the latest scam which has come to the fore and this article details how you can avoid falling prey to this new tactic of scammers.
In technical lingo, this new method of fraud is called “Address Poisoning” and was recently highlighted by cryptocurrency e-wallet firm MetaMask.
“Address poisoning is an attack vector that, in contrast to other scams — which often use methods that have served many scammers so well, such as unlimited token approvals, phishing for your Secret Recovery Phrase, etc. — relies on user carelessness and haste above all else,” it said in an advisory to users.
On the one hand, this method is rather innocuous compared to other scam types. However, it can just as easily result in a loss of funds, it stated.
According to the advisory, your wallet includes one or more accounts, each of which has its own cryptographically-generated address. These are long hexadecimal numbers, meaning they use both numerical and (a few) alphabetical characters. This is a trait that makes them unintelligible to most people, and — critically — very, very difficult to remember.
“This is why, supported by most web3 software, you have most likely come to rely on copying and pasting addresses, rather than memorizing them and typing them out. This saves a lot of time and ensures, generally, you don’t make any mistakes, and that your funds always go to the right address,” it stated.
MetaMask itself falls into this category of facilitating copy-and-paste of address.
How It Works?
Address poisoning speculatively exploits this copy-and-paste tendency. You send a regular, everyday, nothing-to-see-here transaction to a friend, according to the MetaMask advisory.
The scammer, who has software that monitors transfers of certain tokens (usually stablecoins), notices. They use a ‘vanity’ address generator (there are many accessible with a quick web search) to create an address that closely matches yours (sometimes, it’ll match your friend’s).
Since they’re so long, crypto wallet addresses are typically shortened. You might see the first lot of characters only, or sometimes you may see the initial 5-10 or so and the final 5-10 or so, skipping the middle. This is how most people recognize addresses: not by knowing every single character, but by becoming familiar with the start and finish. This is the tendency that address poisoning preys on, it cautioned users.
“The scammer sends a transaction of negligible value from another account to the dummy one they created, that closely matches yours. Usually these are transfers of zero tokens. With this, they’ve poisoned your wallet,” it noted.
“Since their dummy address looks so similar to yours, it’s entirely possible that, the next time you need your address, you might inadvertently copy their address from your transaction history and paste it elsewhere. Naturally, if you paste their address by accident, you’ll send funds to them and not yourself. And since on-chain transactions like this are immutable (cannot be altered once confirmed), the lost funds will be irretrievable,” the firm added.
And that’s it: all they’re hoping for is that you copy the wrong address from your transaction history in your wallet.
How To Protect Oneself?
First off: there’s no way of stopping people — including scammers — from sending transactions to your address. These are public blockchains we’re interacting with, so anyone, anywhere can do as they please.
What we can help, though, is whether we fall victim to the scam by copying the address. This is a tricky one, and awareness is important: even those who consider themselves relatively thorough — and double-check the start and/or end of an address before they copy it — can become victims here.
Above all: check and double-check addresses before you send. This is self-explanatory. Although it’s relevant for any transaction, make particularly sure the address is correct if the assets you’re sending have considerable value to you. Checking every single character is the only way to be completely safe.
Avoid copying addresses from your transaction history, and, if you do, check them very carefully. This goes for both transaction history in your wallet, such as MetaMask, as well as for history shown on the block explorer.
Equally, this advice applies to your own address (e.g. if you’re moving funds from a centralized exchange to your MetaMask, and need to copy your MetaMask address) as much as it does the addresses of others to whom you may be sending funds.
Use a hardware wallet. Hardware wallets generally require you to check and confirm any address you’re sending to before allowing you to complete a transaction. Though it’s possible to fall victim to this scam regardless even with this feature, this prompt may help you develop a habit of continual scrutiny of any address you use.
Add frequently used addresses to your address book.
Consider using test transactions. This involves sending a nominal amount of funds to an address to confirm it’s correct before you proceed with a larger transaction. Naturally, this requires gas fees to be paid for two transactions, so depending on the gas price at the time, it may not be appealing.
Address poisoning involves scammers sending transactions of no value to your account from an address that’s very similar to your own.
Their hope is that you will then absent-mindedly copy this address from your transaction history in future. You or whoever you’re passing your address onto will then send tokens directly to them, and not to the correct address.
Develop a habit of thoroughly checking every single character of an address before you send a transaction. This is the only way to be completely sure you’re sending to the right place.
Follow The420.in on