PancakeSwap Themed Phishing Page
halzero
0xD9E9
November 7th, 2022

Today we are taking a look at a clone of PancakeSwap the most popular decentralized platform built on the Binance Smart Chain located at pancakeswvap.com. The domain is a lookalike of pancakeswap.com (which actually forwards to pancakeswap.finance the official domain you should be using.)

The front page is a fairly good clone of PancakeSwap including a modified version of the warning bar at the top of the page urging visitors to make sure the URL is correct, something we see on many websites these days to help visitors avoid scams.

clone of the PancakeSwap front page
clone of the PancakeSwap front page

The page asks us to choose and connect our wallet, following a normal process familiar to all web3 users, but let's see what is going on under the hood as everything is not as it seems.

connecting your wallet is familiar to us all
connecting your wallet is familiar to us all

Watching the phishing page load on the left side and the real PancakeSwap page loading on the right, we can see that some extra JavaScript is loaded on the phishing page from the location /drainer/ that we don’t see while the official page is loading, unless you were watching the browser traffic you wouldn’t see any difference between the two pages as this does not change anything that you can see in the browser window as this is happening in the background.

In most browsers you can open the developer tools by pressing the F12 key and browsing a website in order to inspect the traffic between you and the website along with other features useful to web developers such as JavaScript debugging.

watching both pages load inside chrome developer tools
watching both pages load inside chrome developer tools

Unfortunately I'm not yet familiar with the inner workings of web3 JavaScript libraries but it is safe to assume the code is used to drain the victims wallet of funds after presenting bogus signing requests that give the page more permissions to your wallet than would normally be requested by the official PancakeSwap website.

part of the JavaScript code used to drain a victims wallet
part of the JavaScript code used to drain a victims wallet

Both the registrar of the domain and the CDN provider used to mask the real host of the site have been notified via their customer support Twitter handles. I urge you not to visit any of the phishing URLs that I show in this article I visit there pages in a controlled isolated environment, you will be putting your funds at risk of theft.

If you enjoyed this short article about a PancakeSwap phishing page then please make sure you subscribe here on Mirror and follow me on Twitter for more as well as other articles on cyber security topics. If you would like to discuss collaboration or sponsorship please reach out to me.

Subscribe to halzero
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
et60ImFlSqt97-6…upDKDG5SD5A8oLI
Author Address
0xD9E95577f986f60…1A52632C659091A
Content Digest
aHGWMGSsixdyhUc…UIs7-dGB-yJkYkg