With the rapid development of TON ecosystem, more and more users are entering the TON ecosystem. In this context, many hackers have long been waiting for opportunities to take advantage of the time window of TON's integrated advanced fraud detection tools to deploy various phishing websites and commit fraud, and this phenomenon is becoming increasingly rampant. This not only poses a serious threat to the asset security of users, but also has a negative impact on the healthy development of the entire TON ecosystem.

As a security partner of the TON ecosystem, Beosin has compiled three typical phishing attack cases to address such security risks, including wallet phishing, website phishing, and centralized tool phishing, and provided users with corresponding preventive measures to help everyone interact safely with TON ecosystem projects.

1. Phishing risks in wallets

1. NFT fishing

When users participate in TON ecosystem interactions, they often receive NFTs in their wallets. NFTs from unknown sources are usually sent by hackers:

In addition to the deceptive name of NFT, when users view NFT content, they may visit phishing websites prepared by hackers in advance and be attacked by phishing.

2. Zero-transfer phishing

In the TON network, zero-transaction phishing is rampant. Hackers send phishing website information to user wallets through zero-transaction, and users may be deceived when viewing their transaction activities:

To avoid the above phishing attacks, Beosin recommends users:

1. Stay vigilant and confirm the source of any NFT and link you receive. Do not easily visit their website and link your wallet or directly enter the mnemonic.

2. Choose wallets such as TonKeeper and MyTonWallet that support identifying suspicious transactions and NFTs. Users have the opportunity to discover phishing scams at the first time and avoid asset losses.

3. When trying to transfer money to other addresses, you can first use the KYT tool to check the risk of the receiving address. Currently, Beosin KYT supports the TON network and automatically identifies medium and high-risk addresses in the TON network:

KYT of Beos

2. Misunderstood Comment Field

Since the Jetton tokens in the TON network do not have authorization functions similar to ERC20 tokens, after users link their TON wallets on phishing websites, hackers usually directly initiate transfer requests to transfer tokens in the user's wallet to the hacker's address. As shown in the following figure:

In transaction requests, hackers will use the Comment field to mislead users into thinking they are getting rewards or receiving tokens, thereby confirming phishing transactions and causing losses.

Taking the phishing incident discovered by Scam Sniffer as an example, the hacker set the content of the Comment field to "Received +5,000 USDT".

The transaction request seen by the user is shown in the figure below. It is very easy to mistakenly believe that 5,000 USDT will be received after completing this transaction, and thus rush to confirm the transaction. In fact, this transaction is to transfer 4.52 TON from the victim's wallet to the hacker's address.

Users should note that the Comment field is mainly used for leaving messages and address identification, and does not represent the transaction results. Because the content of the Comment field can be set arbitrarily by the person who initiates the transaction, please do not believe any content in the Comment field.

3. Centralization Risk

The popularity of TON ecological mini-games and the convenience of TG Bot have led more users to choose to use Telegram and Wallet wallets directly, rather than other self-hosted wallets, to participate in the process of playing games and trading. If a user's Telegram account is stolen, the assets in the Wallet wallet will also be controlled by hackers. Users need to enable Telegram's two-step verification to improve the security of their accounts.

Although mini-games and TG Bots have sprung up like mushrooms after rain, most applications focus on functional implementation, but there are still some omissions in security considerations. For example, directly asking users to import private keys or create new wallets for users. These operations allow these applications to actually control all the assets of users, which is prone to centralized risks such as Rug.

Summarize

After a deep understanding of the phishing methods and risks of the TON ecosystem, we can find that although the TON ecosystem is full of prospects and possibilities, it is also accompanied by many risks and security challenges. Users must remain highly vigilant and cautious about the assets they hold. From choosing a more secure wallet, using address risk analysis tools, to improving their own anti-phishing awareness, these preventive measures can greatly reduce risks and protect the security of users' assets. We encourage all users to be cautious when participating in TON ecological project interactions. In the world of Web3, security always comes first.

Finally, everyone is welcome to share the phishing scams you have seen or encountered in the comment section. Beosin will bring you more detailed phishing analysis and prevention guides later.