Today we chat about “Mr. Inferno” vs Blur.io. Drainers and another evolution.
If you are unfamiliar with “wallet drainers”, I will briefly introduce the topic. In this article, I dismissed some implied credit for research into Inferno Drainer but here I am with some of my own ideas. Last night, I found a browser extension that can be attributed to Inferno or one of his many customers. I will not share the extension to avoid encouraging users to “test it”. There was a victim who “accidentally” clicked, so no more links for you all.
clean link: https://mirror.xyz/0xsaiyangod.eth/hZ9PSMNTt0VQTyt2a3wMX9hy2EHevxfiAEMshVkQpaM
Phishing attacks attempt to solicit important information from you. This could be your password, pet name, nickname, bank account numbers and more. There are different types of phishing such as smishing or vishing, today we focus on spam links being sent that want your digital assets.
Wallet Drainers are specifically after your NFTs, ETH and more. With the promise of “free mints” and airdrops from influential projects like BAYC or CryptoPunks, you are enticed to “Connect Wallet”. What most of the community was unaware of is exactly what happens when you claimed a fake token or got an obscure error after accepting the signature.
You have to read the article here to see some graphics:
I ignored the warning from Wallet Guard to see behind the page. F12 is your friend and so am I. You can guess what happens next. Someone will send out a tweet much like this: “It finally happened, I don’t know what I clicked, I lost everything”. Shortly after, you will find accounts like ScamSniffer, Metasleuth or Certik tweeting out various alerts that known scammers such as Inferno or Pink, have made off with high value assets.
Mr. Inferno has been on the scene for a few months now. The short story here is meant to introduce a new attack vector. The latest wave of phishing links were targeted at the Arkham Intel airdrop. Inferno customers are seeing potential to snipe ARKM from users maybe. While I was focusing on being tagged in similar scams by tweet mentions, a new trick emerged that targeted Blur specifically. With the help of some fellow researchers, I found Inferno using a browser extension on the Google Store.
One of my colleagues asked last night about the safety of an extension. Myself and
took a look and determined this was an attempt to have community members install something malicious. Its a variant of the P2E scams where they trick you into downloading malware, this is for the browser so your AntiVirus is POSSIBLY NOT meant to catch this. This browser extension is specifically designed to work on Blur.io. The needed contents are loaded by the extension into the loaded page. If you are not visiting Blur.io with the extension running, you will no see what's being discussed in this article. The developer(s) go by “Degen Devs”, who seem to want to impersonate the Wallet Guard team. Without too many more details, the interesting part of this is the use of an tag with the “onerror” attribute set.
image request generates error
error causes some JS to execute
There are some interesting things embedded in the text. The draining is not the most interesting part this time but it is still the most important message. Beware of links you click, browser extensions you install, DMs you respond to, and much more. The special update is that drainers are no longer isolated to phishing on Twitter or in Discord DMs.
Stop clicking links, advice from 0xSaiyanGod