Phishing Alert: Technical report on Zollo scamming incident

#1

Phishing Alert: Technical report on Zollo scamming incident

7th April, 2019

This report, compiled by Zilliqa Research Pte. Ltd, comes in response to a phishing attack which used the Zilliqa name, among others, to scam users on April 6th, 2019. This report outlines all the known facts related to this incident and outlines security recommendations to all those who received communications from this fraudulent entity, which calls itself ‘Zollo.’

Please be wary that “Zollo” is claiming to be in partnership with Zilliqa and Maker DAO to provide a free “token distribution” of ZLO (Zollo token). Users have been asked to provide sensitive information during the sign-up process for this scam token distribution.

We would like to clarify to every single member of our community that there is no partnership between Zilliqa and Zollo. Additionally, we would like to stress that security protocols have always been of the utmost importance to Zilliqa. We are not aware of any security breaches on our end.

Information being targeted: Based on our analysis so far, the information being requested from users includes:

  • Name
  • Email
  • Ethereum address
  • Password
  • Private key
  • Mnemonic phase (12/24 words)
  • Keystore and related password

Address used by the scammer

This is the currently known address used in this incident. The address has been reported to Etherscam database.

0xB8f2B53063DED859a3fdb96d43dd3D37253F47Bf

Timeline of incident

Date Event
March 12 Registration of zollo.io domain
March 20 Registration of zilliqablog.com domain
April 6 First report of Zollo scam
Reporting of zilliqablog.com to the domain registrar and hosting service
Notified Zilliqa community on Slack, Telegram, Reddit and mailing list of the ongoing scam incident
April 7 Reporting of known address 0xB8f2B53063DED859a3fdb96d43dd3D37253F47Bf to Etherscam database
Reporting of fraudulent domain to Google Safebrowsing, IE’s SmartScreen filter, and Etherscam database
Reporting of zollo.io to the domain registrar and hosting service

Platforms used in the scamming incident

In this incident, the attacker mainly used the following 4 platforms to reach out to potential target

  • Fake Zilliqa blog: https://zilliqablog.com
  • Zollo website: https://zollo.io/
  • Email
  • Telegram

The fake blog, email, and telegram channel have been used to direct the user to zollo.io

Fake Zilliqa Medium blog

A website masquerading as Zilliqa medium blog was created. It features a Medium blog layout but it is not hosted by Medium. On the website, it mentioned that Zollo was a joint venture between Zilliqa, Maker DAO, and Ethereum and that it is conducting a free token distribution event.


Fake Zilliqa blog post

Zollo Website

The Zollo website features a modern looking website with a counter to the distribution.


Zollo website

Registration page

The registration link will lead you to a sign-up page, which may be used to extract information such as:

  1. Name
  2. Email
  3. Ethereum address
  4. Password

Zollo token distribution registration page

After providing the information, the site will proceed to ask you to add wallet or use Metamask to claim Zollo (ZLO) tokens.


Zollo token distribution page

Fake Metamask

The site displays a fake Metamask wallet. The fake wallet is designed to steal the mnemonic phrase and password of the victim’s wallet.


Metamask wallet in a browser with no Metamask extension

It is designed to show invalid password (regardless of the validity of password) and proceed to ask the user for the mnemonic phrase in order to recover their Metamask wallet.


Fake Metamask wallet

Zollo wallet

The Zollo wallet asks the user to import their wallet by providing one of the following:

  1. Private key
  2. Mnemonic phrase
  3. JSON keystore and password

Again, it is an attempt to harvest such information from the user.


Zollo wallet requesting sensitive information

Email

Emails were also sent to numerous people. At this point in time, we are unable to confirm where the mailing list came from.

At the point of incident, Zilliqa has stringent measures in place for our mailing list

  1. Strong and complex password
  2. 2-factor authentication
  3. The use of non-zilliqa emails to subscribe to, and monitor, the official Zilliqa mailing list
  4. Limited staff access to the mailing list
  5. All emails sent from mailing list are in compliance with SPF, DKIM, and DMARC

A legitimate email sent from Zilliqa

Analysis of the phishing email

In this incident, the email was sent from Zilliqa noreply@preservelopezshoreline.org. This domain is currently not registered and does not belong to Zilliqa.


Phishing email sent from that domain

Telegram

A Telegram channel was created and is mainly used to spread the message of the fake token distribution event.


Zollo Telegram channel

Recommendation

If you have provided your email and password, we suggest changing your password. We also recommend you to enable 2-factor authentication and use a complex password for better security.

If you have provided your private key, please note that the private key is likely compromised. We highly recommend taking the necessary mitigative action quickly. This includes (but not limited to) transferring the balances to a new address.

If you have provided the mnemonic phrase, we strongly recommend you consider all addresses associated with the mnemonic phrase as compromised and take necessary mitigative actions such as transferring your balances to a new address - unrelated to that of the compromised mnemonic phrase.

If you are in any airdrop group with regards to Zilliqa, we suggest you leave the group. Please do not provide any information requested by the group. Do note that there is Zilliqa does not have any airdrops.

Lastly, we recommend basic but effective practices that are key not only in this situation, but at any point in time. Please keep your password, private key, and mnemonic phrases STRICTLY CONFIDENTIAL AT ALL TIMES.

For transactions and interactions requiring sensitive information, please take a few additional moments to verify the source and authenticity of the requests to the best of your knowledge. Please utilise all technology-based security measures to protect yourself from becoming a victim to this, or any scam down the line. Our report should provide a good starting point to learn about the measures you can take.

We will share updates on this incident as and when we have accurate details. In the meantime, we urge you to be vigilant of all communications that you receive from Zilliqa. In case you have encountered any security issues, please inform us at security[at]zilliqa.com

Thank you.

2 Likes

pinned globally #2
0 Likes