Digital Fortress, Part 2: How to securely interact with Web3 websites?

What are the main dangers and threats when interacting with websites in Web3?

Although good-willed people try to flourish in the crypto economy, the crypto space is not completely free from malicious actors. Here are a few of the threats lurking in the shadows of the blockchain world:

• Phishing scams: The attacker sends mass emails or messages as the first step of a phishing attack. These emails or messages look like they are from a legitimate source, such as a wallet, a cryptocurrency exchange, or a known project and act as bait. When someone bites and clicks on the link within the sent text, it leads the user to a fake website that looks indistinguishably similar to the original one. Then, users are asked to input their information, and if they do, the attacker gains access to their account, thus completing the “phishing” process. Phishing messages often urge users to mint a limited edition NFT or take part in an activity promising rewards within a limited time frame.

How a phishing attack works.

• Deceptive DApps: Decentralized applications (DApps) are blockchain-based apps powered by smart contracts. Scammers commonly use fake DApps to steal funds from investors. These malicious DApps host links leading to malignant websites and ask users for authorization that may expose vulnerabilities.
• Rug pulls: Developers in Web3 tend to market their product as the biggest thing in the last millennium that will revolutionize the industry. Some people believe these marketing strategies and immediately hop on board. When these developers gain enough support, they pull the rug from under the investors’ feet, sell all their tokens and disappear with the funds. After the rug pull, investors are left empty-handed, and the liquidity of the project no longer exists.

Why is bookmarking trusted websites in your browser critical for Web3 security?

Bookmarking is not only a faster way of accessing commonly used websites but also a safer one. Yes, users can open their browsers and access their bookmarked websites with a single click. But bookmarking also prevents users from accidentally opening phishing websites that have an almost identical link, directing the user straight to the previously bookmarked website instead.

What are the risks of connecting your wallet to a website?

When users access websites that use crypto technology, the first thing that welcomes them is the pop-up asking them to connect their wallet. Connecting their wallet to a website allows the platform to receive their public wallet address and empowers the website to request transaction authorizations from their wallet. Of course, users need to manually accept these transactions for them to happen, but without the necessary caution, one click can cause irrecoverable losses in funds.

Users can also encounter buttons asking them to connect their wallets to valid-looking phishing websites. These buttons can look like they are only asking to connect to the user’s wallet when, instead, they are asking for more than a user’s wallet address. In fact, websites can ask for access to all assets in a user’s wallet. This is why, users should be careful and read the exact actions that are requested from their wallets before giving permission.

A Web3-focused security tool can instead check these requests by analyzing smart contracts, identifying dangerous logic, critical vulnerabilities and compromising permissions with intentions to access the user’s assets.

How do hackers exploit seed phrases, and why is it critical to leave them confidential?

Seed phrases, also known as recovery phrases, are a group of randomly generated words that allow users to access their cryptocurrencies within their wallets. Losing a seed phrase is the worst-case scenario for crypto owners since they are irrecoverable. These phrases act as the master key in accessing a crypto wallet, highlighting them as the common target for various phishing schemes, such as a website launching a fake wallet and asking for the seed phrase or a phishing site generating an error when connecting the wallet. When the error message pops up, users are asked to connect their wallet manually by imputing their seed phrase, essentially giving away the information to the malicious actors voluntarily.

What are the risks of signing messages on unfamiliar websites?

Anybody can view the balance of a crypto wallet, as blockchains are transparent and publicly visible. But to prove they own the wallet, users utilize message-signing technology, which allows them to create an encrypted message using their private keys to demonstrate they own a specific wallet address without the hassle of moving funds. This feature is similar to the security code written on the back side of credit cards, which enables users to validate their ownership.

Unfamiliar websites that request signing messages are highly likely to be malicious, which can lead to a loss of assets. Sinister signing messages masked as personal_sign and signTypedData are hard to spot for users who are not knowledgeable about the backend of these requests. Unfortunately, signing such a message can potentially give malicious actors heaps of unauthorized access to the funds in a user’s wallet. Using a Web3 security extension that flags these messages automatically and displays a warning could be the best option for such users.

How to minimize risks when interacting with Web3 websites?

In order to minimize risk factors when browsing through Web3, users should pay special attention to the websites they visit and check the link for any alterations. If it isn’t a commonly known website, users should verify the platform's authenticity by researching and going through related forums and social media accounts. However, checking the full Web3 universe for each site can lead to an overwhelming experience.

Instead, Web3-specific antivirus tools can automatically conduct the process each time a user visits a website. One such is Web3 Antivirus (W3A), a browser extension that verifies Web3 entities before users interact with them and warns users of potentially dangerous actions.

It not only checks the website address but also audits messages and transactions and shows users the outcome in case they sign. For example, when users encounter a phishing website that prompts them to connect their wallet, it might seem innocent at first glance. W3A will audit the signing request and show the user that signing it will lead to approving access to all the user’s assets.

Here’s how a phishing URL is shown when detected by W3A.

Providing a streamlined installation process, W3A doesn’t request access to payment or personal information. The tool constantly updates itself with the newest information about scam websites and deception methods.

Offering a phishing website detection feature, W3A checks domain names and compares them to a blacklist with more than 1 million websites. The tool warns users whenever they enter a blacklisted website, or it detects phishing with its AI similarity validation.