DeFi Llama warns against malicious link spoofing its service

DeFi Llama is the latest victim of a spoofing link. The data service warns against using top links from Google, as malicious activity has been noticed. 

DeFi Llama warned against using Google to search for Llama Swap. The search yielded an advertising site as the top sponsored result, which remained live for more than two hours.

The website is not the native DEX on DeFi Llama, and will instead contain malicious links. The site has been reported to Google, but remained live for a while after DeFi Llama’s signal. The DeFi Llama Swap contracts have not been compromised, and there are no additional risk to users.

https://twitter.com/DefiLlama/status/1856288177608159679  

DeFi Llama Swap aims to be a zero-fee service, seeking the most efficient route among multiple aggregators. The swap service is targeting Ethereum and L2 tokens, and is not compatible with Solana wallets. DeFi Llama itself is a passive data service that does not require a wallet connection. 

Even with a malicious link, some wallets should warn about the discrepancy through internal checks, and prevent any transactions or permissions. Using sponsored content on Google is a relatively old way to serve fake links and attempt to drain wallets. 

Google ads have targeted crypto projects, especially during bull runs when mainstream enthusiasm for crypto is rising. The ad arrived after a slight uptick in ‘DeFi’ search terms on Google. 

The Defi Llama Swap spoof site was identical to the original, with the exception of the URL. The faked site was flagged for suspicious activity, but contains no malware. The risk comes from the voluntary decision of the user to connect a wallet and attempt a swap. 

DeFi Llama notified of a spoof link, which showed a suspicious URL. | Source: URL Analysis

DeFi Llama advises to reach the URL from its main data service page, and then make sure it is the same tab and connection. Similar search results remain a risk for other DEX and services. Any unofficial links requiring a wallet connection have the potential to send out transactions and drain wallets. As long as the user does not sign approvals or issue transactions, the link itself was not dangerous.

Phishing link scams accelerate, become more sophisticated

In addition to social media or chats, malicious calls to sign a transaction have also come from Lottie Player , a Wordpress tool for animations and popups. Other recent reports reveal wallets may be attacked by malware posing as a Zoom link. Similar links have been posted for MetaMask and other often-used crypto services. 

Phishing scams are a relatively minor part of overall crypto losses. However, they are some of the most damaging, as they attack personal holdings and wealth. In October, scams and project attacks accelerated, to more than 46 events based on Certik’s reporting. Phishing scams are an additional risk of loss, and may affect both end users and platforms. 

Estimates put phishing scams at around $20M in October, extending the trend in the new month. This type of scam was happening the most often. The attempts to drain wallets reawakened in September, after a few slow months. 

Targeting personal wallets is happening during NFT and meme token booms, where multiple crypto events may require a wallet connection. The hackers make use of lowered attention and hide behind legitimate services or spoofed links. On social media, malicious links are also contained in promises for fund recovery, often attempting to ask for a wallet’s private keys.

On-chain data shows up to 493 ETH stolen in September, the highest level for 14 weeks in a row. Scams are not happening regularly, and may hinge on campaigns and clustered attempts. Usually, a handful of wallets will spawn an attack in a short time frame. Similar to malicious links, poisoned addresses are also targeted operations, working fast within days to hit as many victims as possible. 

More than 90% of phishing scam victims are users of the Ethereum network. Most wallet attacks are phishing, with under 10% linked to poisoned addresses.