Blockchain security firm SlowMist has cautioned about a surge in phishing attacks carried out by impostors posing as journalists on the recently launched decentralized social network friend.tech.

It was first flagged on October 14, when Twitter user Masiwei reported a malicious code targeting friend.tech for account theft. As per the SlowMist Security Team’s investigation, the link shared by the attacker included a malicious JavaScript script.

Attacking Process

According to SlowMist’s findings, the malicious script specifically targeted friend.tech users, with a focus on Key Opinion Leaders (KOLs) who, due to their popularity, were likely to receive interview invitations. The attacker adopted a strategy of following people within the target’s Twitter network, creating a false sense of community when users visited the attacker’s Twitter page.

The modus operandi involved scheduling interviews, guiding users to join Telegram for the interview, and providing an outline. Users, believing the interaction to be legitimate, participated in a two-hour interview with apparent hosts, anticipating publication on a reputable news website.

Post-interview, the attacker requested users to fill out a form and open a provided phishing link under the pretext of verification. The link, claiming to prevent impersonation, instructed users to verify their friend.tech account by dragging a “Verify” button to the bookmark bar and clicking on it after visiting the friend.tech website.

Upon opening the bookmark, which contained the malicious JavaScript script, users unknowingly exposed their friend.tech account credentials, including the password (2FA) and tokens associated with the embedded wallet Privy. This posed a significant risk, as both the user’s friend.tech account and the related funds were susceptible to theft.

“Our founder, Cos, also emphasized the severity of such attacks. If your independent password, i.e., the 2FA for friend.tech, is stolen, and you have set up information related to friend.tech and its embedded wallet Privy (including other relevant information in localStorage), then your private key plaintext can also be stolen.”

At this stage, the account becomes essentially unusable unless friend.tech is willing to provide the victim with a new private key and its associated wallet address.

Measures to Prevent Phishing Attacks

The rampant social engineering attacks and phishing scams have wreaked havoc in the Web3 space, particularly because they are rapidly evolving. SlowMist said the victim in this incident, who was just practicing English speaking skills, ended up having all their funds on friend.tech stolen. However, the firm detailed certain measures that help identify potential attacks.

These involve increasing awareness of social engineering attacks, refraining from clicking on unfamiliar links, and learning methods to recognize phishing links (such as checking for misspellings or excessive punctuation in domain names and ensuring they match with official domains). SlowMist further encouraged users to install anti-phishing plugins.

This isn’t the first time friend.tech users have had their digital assets stolen.

Last month, prominent on-chain investigator ZachXBT reported that friend.tech users were targeted by SIM card manipulation. Days later, the team behind the platform introduced the 2FA password feature to improve user security, protecting against SIM-swap attacks.