words written in front
Recently, there have been a high number of cases of malicious multi-signing in TRON wallets. Prior to this, we have issued warnings about this type of fraud and analyzed several scenarios that lead to multi-signing. For details, you can check out the two articles "Beware | Tron's malicious permission change scam" and "How far away are fake links and fake wallet scams from us". Mainly downloading fake wallets from fake official websites, causing the private key mnemonic to be leaked and multi-signed, and being multi-signed after accessing a link containing malicious code to execute a signature. Therefore, we once again remind users not to use search tools to find and use wallets, and not to execute third-party links from unknown sources at will, especially recharge links for verification codes, followers, card purchases and other platforms.
TokenPocket official website: tokenpocket.pro, tpwallet.io
Malicious authorization characteristics
Approve means authorization. It allows users who hold Tokens to authorize a certain quota to a designated account by calling the Approve method, giving the account the power to freely use Tokens within the quota. If authorized to a malicious account, the authorized assets will be at great risk.
Usually when we come into contact with malicious authorization, it will be "packaged" in the form of a link. For example, after the QR code is recognized, a fake transfer interface link will be opened. When the transfer is completed, the malicious authorization will be maliciously authorized; there are also some verification codes, added For links to platforms such as Fans and Card Buying, malicious authorization code is implanted during the recharge process. After successful execution, malicious authorization is executed, and the maliciously authorized Token will be stolen.
If the malicious authorization is now executed in a new way, can you still tell the difference?
New malicious licensing scam
The other party will take the initiative to contact you and claim to be able to solve the problem you encounter. For example, if you hold a Token that cannot be circulated, and the other party says that it can help you deal with it in hexadecimal format, they will not ask you for a private key mnemonic, nor will they give you a link to access and sign. The following is a scam. case process.
The scammer will claim to have "black technology" that can help you solve the problem, and will patiently help you check the relevant on-chain information. Finally, he will carefully teach you how to operate. After filling in the hexadecimal characters and executing the transfer If you operate, the assets you authorize will be stolen by the other party through malicious authorization.
It is important to understand here that for blockchains such as Ethereum to perform operations such as transfers and authorizations, any smart contract interaction can be completed directly through this hexadecimal number. The hexadecimal data contained in each operation can be viewed through the blockchain browser.
Execution data on different function chains
In order to facilitate the distinction, the difference between ordinary transfers and on-chain execution data including hexadecimal and approve operations are shown here.
' fill='%23FFFFFF'%3E%3Crect x='249' y='126' width='1' height='1'%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
It should be noted that the above data is displayed after analysis. You can view the original submitted data content by following the options in the figure below.
Demonstrate authorization process
0xeE9E75500741A5936D3884924749b972bF562935 This is a newly created address on the BSC public chain. Use this address as a "bait" to perform transfers containing hexadecimal. 0x2f75b95C6B5dE369321e184469691A3FAf92aFC7 This newly created BSC wallet address is used as an address to simulate "malicious authorization". Use the tool to get its hexadecimal code:
0x395093510000000000000000000000002f75b95C6B5dE369321e184469691A3FAf92aFC70fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Set 0x55d398326f99059ff775485246999027b3197955 as the payment address, set the quantity to 0, fill in the hexadecimal code in advanced mode and complete the transfer.
The completion of the transfer also means the completion of malicious authorization. Check the data through the authorization record on the chain. Here you can see the time of the call, the number of authorizations and the authorized address. The address is the simulated malicious authorization address ending in C7 above.
Security risk reminder
It can be seen from the above cases and data that authorized execution is an operation performed by sending Data data and calling a function. It is basically the result of using the permissions of the private key or mnemonic phrase to sign the malicious code. Therefore, anyone who proactively contacts you and is eager to help you solve your problem may have ulterior motives. Please do not trust their enthusiastic service and do not perform transfer operations containing hexadecimal characters according to their requirements. Scammers have always been on the opposite side of our asset security, so we must learn blockchain knowledge, understand its working principles, and use the security and anti-fraud knowledge we have to better protect asset security.
