Scammers are making thousands of dollars through blockchain typosquatting

The crypto revolution is in full force following Donald Trump’s re-election. But those looking to send and receive crypto will have to beware of so-called “typosquatting” scams, or risk losing thousands of dollars. A new study by researchers at Stony Brook University analyzed the prevalence with which scammers exploit tiny typos to trick people into sending sums to crypto wallets that falsely pretend to be attached to individuals. The typosquatting scams take advantage of issues with Blockchain Naming Systems (BNS), which allow users to type in a word-based address, similar to a website URL, to send crypto to, rather than having to use the complicated series of digits and letters that are traditionally associated with crypto wallets. “People have popularized their domain names on their Twitter accounts,” says Muhammad Muzammil, a Ph.D. candidate at Stony Brook University and lead author of the study. Looking at 5 million BNS domain names and 200 million transactions on three major BNS platforms, including Ethereum Name Service (ENS), Unstoppable Domains (UD), and ADA Handles (ADAH) on the Ethereum, Polygon, and Cardano blockchains, the researchers found more than 25,000 squatting domains. Around 37% of the most popular legitimate names on Ethereum’s ENS service were targeted by typosquatting. Many of the typo-based accounts targeted public figures, such as Vitalik Buterin, the cofounder of Ethereum. For instance, scammers could register names like “vitalyk.eth” or “v-italik.eth” in place of “vitalik.eth.” Buterin was a major target of scammers looking to piggyback on his popularity: The researchers identified 74 typo variants of his official BNS domain, with a single typo BNS domain—fitalik.eth—netting scammers more than $33,000. Not every domain was as successful as vitalik.eth, however. The average victim of the typosquatting scam sent around $1,790 in cryptocurrency to a wallet they didn’t intend to, though some typo variants were highly effective. For instance, one scammer-owned domain targeted by six different typo variations collected funds from over 1,100 users into a single wallet. “It’s in the thousands, on average, which is obviously alarming,” explains Muzammil. He points out that the way the researchers chose the BNS names to analyze and look at means this won’t be the full picture of the level of scams taking place across the BNS. “These type of squatting attacks are very common in traditional DNS as well,” says Muzammil. “Popular domain names, such as google.com, facebook.com, attackers are known to generate typos in order to capitalize on user typos that make their way into day-to-day browsing.” But on the traditional domain name system (DNS), which redirects users who type in URLs like fastcompany.com to the IP address at which the website is actually hosted, it’s more possible to track scammers and where they go. “Here they are directly losing funds to someone they don’t even know and they can’t even track due to the nature of the blockchain,” says Muzammil. “You’re just sending a transaction from one address to another, and you can’t even ask for your money back.” The use of this typosquatting technique is a development that worries Alan Woodward, a cybersecurity professor at the University of Surrey. “My concern with anything as ubiquitous and rapid as name resolution is that blockchain technology is not known for either its speed or scalability,” says Woodward, who wasn’t involved in the study. “I find myself asking what problem [BNS] solves.” Such scams have grown over time as crypto has become more mainstream, the researchers found. The number of registered typosquatting domains has increased significantly since 2021, coinciding with cryptocurrency prices peaking until their recent record-breaking highs. Most of the scam domains discovered were registered within the first 100 days of a legitimate domain becoming popular—suggesting there’s a race among criminals to try and secure the most lucrative typo-based domains first to capitalize on confusion. The researchers also tested major cryptocurrency wallets like Coinbase, MetaMask, and others to see if they offered any warnings against sending money to an incorrect, typosquatting domain. They found no wallets proactively flagged suspicious domain names, allowing people to send money without realizing. Muzammil and his colleagues propose in the paper that wallet providers ought to implement protective measures, such as notifying users if they are sending funds to a domain that closely resembles previously used addresses. “A defense strategy for this could be on the digital wallet, where they could implement some security measures to stop this from happening,” says Muzammil, who points out that the BNS is not by default any more or less safe than any other system. “I think that with the right security measures, I think that it can be a safe area to exchange funds,” he says.

Tomas Kauer - News Moderator Tomas Kauer - News Moderator
Nov 21, 2024 - 07:00
Scammers are making thousands of dollars through blockchain typosquatting
The crypto revolution is in full force following Donald Trump’s re-election. But those looking to send and receive crypto will have to beware of so-called “typosquatting” scams, or risk losing thousands of dollars. A new study by researchers at Stony Brook University analyzed the prevalence with which scammers exploit tiny typos to trick people into sending sums to crypto wallets that falsely pretend to be attached to individuals. The typosquatting scams take advantage of issues with Blockchain Naming Systems (BNS), which allow users to type in a word-based address, similar to a website URL, to send crypto to, rather than having to use the complicated series of digits and letters that are traditionally associated with crypto wallets. “People have popularized their domain names on their Twitter accounts,” says Muhammad Muzammil, a Ph.D. candidate at Stony Brook University and lead author of the study. Looking at 5 million BNS domain names and 200 million transactions on three major BNS platforms, including Ethereum Name Service (ENS), Unstoppable Domains (UD), and ADA Handles (ADAH) on the Ethereum, Polygon, and Cardano blockchains, the researchers found more than 25,000 squatting domains. Around 37% of the most popular legitimate names on Ethereum’s ENS service were targeted by typosquatting. Many of the typo-based accounts targeted public figures, such as Vitalik Buterin, the cofounder of Ethereum. For instance, scammers could register names like “vitalyk.eth” or “v-italik.eth” in place of “vitalik.eth.” Buterin was a major target of scammers looking to piggyback on his popularity: The researchers identified 74 typo variants of his official BNS domain, with a single typo BNS domain—fitalik.eth—netting scammers more than $33,000. Not every domain was as successful as vitalik.eth, however. The average victim of the typosquatting scam sent around $1,790 in cryptocurrency to a wallet they didn’t intend to, though some typo variants were highly effective. For instance, one scammer-owned domain targeted by six different typo variations collected funds from over 1,100 users into a single wallet. “It’s in the thousands, on average, which is obviously alarming,” explains Muzammil. He points out that the way the researchers chose the BNS names to analyze and look at means this won’t be the full picture of the level of scams taking place across the BNS. “These type of squatting attacks are very common in traditional DNS as well,” says Muzammil. “Popular domain names, such as google.com, facebook.com, attackers are known to generate typos in order to capitalize on user typos that make their way into day-to-day browsing.” But on the traditional domain name system (DNS), which redirects users who type in URLs like fastcompany.com to the IP address at which the website is actually hosted, it’s more possible to track scammers and where they go. “Here they are directly losing funds to someone they don’t even know and they can’t even track due to the nature of the blockchain,” says Muzammil. “You’re just sending a transaction from one address to another, and you can’t even ask for your money back.” The use of this typosquatting technique is a development that worries Alan Woodward, a cybersecurity professor at the University of Surrey. “My concern with anything as ubiquitous and rapid as name resolution is that blockchain technology is not known for either its speed or scalability,” says Woodward, who wasn’t involved in the study. “I find myself asking what problem [BNS] solves.” Such scams have grown over time as crypto has become more mainstream, the researchers found. The number of registered typosquatting domains has increased significantly since 2021, coinciding with cryptocurrency prices peaking until their recent record-breaking highs. Most of the scam domains discovered were registered within the first 100 days of a legitimate domain becoming popular—suggesting there’s a race among criminals to try and secure the most lucrative typo-based domains first to capitalize on confusion. The researchers also tested major cryptocurrency wallets like Coinbase, MetaMask, and others to see if they offered any warnings against sending money to an incorrect, typosquatting domain. They found no wallets proactively flagged suspicious domain names, allowing people to send money without realizing. Muzammil and his colleagues propose in the paper that wallet providers ought to implement protective measures, such as notifying users if they are sending funds to a domain that closely resembles previously used addresses. “A defense strategy for this could be on the digital wallet, where they could implement some security measures to stop this from happening,” says Muzammil, who points out that the BNS is not by default any more or less safe than any other system. “I think that with the right security measures, I think that it can be a safe area to exchange funds,” he says.