You sit down at the breakfast table with your coffee. As the yawns squeeze out of you and you wipe the sleep from your eyes, you pull out your phone to catch up on your emails.
Just routine stuff… spam, spam, free offer, Amazon invoice – wait, what’s this? Your cuteandreallycuddlyfluffypuppies.com account has been compromised and needs your immediate attention! 😱 You click the link to reset your password, glad you caught this email before it was too late.
You follow the prompts on the next screen and fill out your new password… little do you know, your cuteandreallycuddlyfluffypuppies.com account has been compromised. By you. Right now. That was a fake link from a fake address, and they got exactly what they wanted out of you!
Sound familiar? This is one of the most common tales of how scammers find their way into someone’s defenses. As digital security continues to improve, there is still one glaring vulnerability to even the best system – the human behind it!
Welcome back to The Guardian Papers, where digital heroes can get the base training they need to thwart villains’ underhanded attacks against them across the web3 world.
Email is often where scammers have a chance at getting directly to you. One miscalculation or momentary lapse of attention to detail could cause you a lot of hassle, so you’ve got to know how to keep yourself safe.
Miss a previous edition of The Guardian Papers? Catch up below!
First off, we definitely don’t want to imply that email is inherently insecure – many email providers have excellent security protocols put in place, and there are tons of tools out there for anyone who wants to beef up the actual protections in their email. The problem with email security is the person behind the keyboard… and it’s a vulnerability that isn’t going away.
Your email is a direct line to you. No matter your security infrastructure, if you’re getting a scammer’s email in front of you, you’re probably going to read the words they wrote. This direct access is the dream of all those fake Discord admins and help desks. They want that direct line so they can exploit your trust… because your security systems work for you. If they convince you, your security isn’t an issue.
For most people, email is the height of routine. When you are checking emails, you’re performing the same ritual you’ve done thousands of times. You may have many email accounts, only adding to the volume and frequency of your email checking ritual. When you do something day in and day out, over and over, you eventually become less attentive to the process overall.
As something becomes part of your routine, you eventually sort of automate it in your mind. How many things do you automatically do throughout the day without any real conscious thought? It’s the same for email. While the part of your brain that reads and parses the information in the emails may be present, other parts of your mind have moved on to other tasks.
This leads to some easy wins for scammers that would never work on your while at full attention.
How Did They Find Me!?
Honestly, how wouldn’t they find you? It’s important to remember that our data is everywhere, and we don’t typically consider email addresses private data. If it’s ever been out there, it’s still out there probably.
Let’s say Billy has a private, personal email address that he typically only shares with family and close friends, then he has another that he uses for work. Billy’s dad is fond of forwarding emails on occasion, and so drops a long chain email forward into Billy’s inbox once in a while. Billy’s friend Sally CCs him into a monthly newsletter that she sends out for their Karaoke Club. One day, Billy starts seeing large amounts of spam coming into his personal email account! 😨
What happened? Well you see, Tyrone from Karaoke Club was trying to get his friend Trevor to come to last month’s championship, so he forwarded him the newsletter. Trevor’s email account was compromised and the inbox contained Tyrone’s address, along with the CCd address of every other member of Karaoke club. Welcome to a list, Billy.
Let’s be honest though, it’s probably not the first time Billy has gotten scam emails at that address. He used to have it visible in his Facebook about section for years, and it’s still listed on an ancient and forgotten DeviantArt portfolio along with his real name. Also, he’s had this account for a long time and emailed lots of people. Each of those is a chain that connects to his email address. If any one link is discovered by the bad guys, the whole chain is in the open.
After that they can do a surprising amount to learn your behaviors. With a full-feature email service, they can theoretically tell exactly when you open the email, your operating system, your geolocation… all sorts of stuff that isn’t exactly secret, but gives you the shivers that they could know. Once they have this, it’s not hard to generalize demographics and predict who would be receptive to what scams.
Wolves Dressed as Sheep
Many of the ways people will attack you through your email fall right in line with our previous discussion about The Impersonator. In your email they know they have you in a format that you’re likely to overlook small details. If they know they can get past your spam filter, then they know there’s a good chance that you’ll at least click on their email.
They’ll try to mimic emails that you are likely to be receiving. There are lots of ways they could get an idea about what email lists you may be on, and not all of them are data breaches. A tracker in your browser could be feeding info about your behavior without necessarily doing anything nefarious to be flagged as malware by your safeguards.
Remember, legitimate businesses and individuals assign cookies and trackers all the time without any ill intent. We all click “Accept All Cookies” once in a while. Even if there’s just a .01% chance that any of those you click on has something harmful coming across, it’s just a matter of time.
Also consider that people are quite predictable with a large enough sample size. For every well-timed scam email you’ve ever received that seemed like they must be actually watching you, you’ve probably received two dozen weird ones that seemed to come out of left field. It’s just a numbers game. They’ll get it right sometimes.
If they’ve identified your email and the most likely services and addresses that can trick you, it’s only a matter of seeing what they can slide by.
In the case of this above example, the fake may seem obvious. After all, we’re here stretching our brains and thinking about scammers, but when someone comes across this email they may be distracted or in a hurry. Then, they could feel panicked that their MetaMask wallet has been compromised.
Notice that they color the email to draw the eyes directly to what they want you to see. The large notice at the top, and the button to “update now”. While we didn’t click that link, a quick mouseover revealed the target to be a proxy site, with a slug pointing to a long string of characters for a dAPP command. This link almost surely goes to a fake service site where you will be immediately asked to connect your wallet.
Oh, and also –“MҽtaMask”? That’s not an E. That’s an Abkhazian Che, a Cyrillic character that is entirely different from the latin “e”. If you’re not paying close attention though… it may be enough to not get them flagged for impersonation, while your eyes simply autocorrect that to “MetaMask”.
Also, check out that XM over there. That’s called a BIMI or Brand Indicator for Message Identification. These are verified trademark spaces, so a brand can submit a BIMI that won’t be copied anywhere else. This is a relatively new system that only works with some email providers, so you may notice a difference between impersonators and the emails they’re impersonating based on their mark. This isn’t always the case though, as some brands have not yet adopted BIMI… our emails here at Gala, for instance, do not ever use a BIMI.
That verification check mark doesn’t mean anything, it’s just part of the display name – like we saw with fake help admins in our imposter profile.
The dead giveaway is the return email though. Even half redacted, it should be pretty easy to tell that’s not from MetaMask. Why would MetaMask not send emails from their domain that users know and trust?
Straight to the Source
The important part here is that your email usually has your attention. If they can slide into your inbox, half their work is done. If they send out 10000 emails, what do you suppose the chances are that no one is careless enough to click without thinking?
That’s the end goal for these scammers. They know that most people in the digital world are protected in some way from bad actors, but they also know that you hold the keys to your security mechanisms. The best defenses in the world don’t mean much if you willingly click to their site and give them your information.
This is why The Guardian Papers are here. These scammers know that there is always someone to prey on because people aren’t informed. If we all know what to look for, the fruit they’re looking for gets waaaaay higher in the tree. Maybe they’ll just go find another tree to climb.
Digital Guardians
No one is going to ensure your security on the web. You have to take matters into your own hands and change behaviors if you want to be safe. While it may seem overwhelming to think of all the ways the bad guys can get to you, it’s really not that hard. If you learn the ways that they come at you, before long it’ll be easy to spot the attackers long before they breach your walls.
We learn. We teach. If everyone is equipped to deal with them, digital villains don’t stand a chance.
That’ll do it for this week’s Guardian Papers! We’ll be back though as we dive into common ways people use Discord and other messaging apps to prey on the unaware!
Imagine that you own a castle. As a proud owner of such an impressive, shiny fortress, you’ve likely got defenses – a sturdy wall and a heavy gate to protect your valuables. When an advancing army approaches, however, you don’t necessarily want them to test that security. You wouldn’t even lower the drawbridge!
Your passwords function the same way and are your first line of defense to keep bad guys from ever even getting a foothold near your digital hoard.
Welcome to the 6th installment of The Guardian Papers, where we walk you through how you can protect yourself from the digital miscreants who seek to steal, cheat, and otherwise destabilize our beloved community.
As the blockchain revolution continues to provide opportunities for people all over the world, those who lurk in the shadows are always eager to prey on the unaware. It is our goal with this series to educate and empower our community to resist and repel the monsters who hide out there in the digital darkness, so that we all can be safe, secure and more prosperous as we build a better future together.
Miss an issue of The Guardian Papers? Catch up below!
In the next few articles, we’ll be talking about security fundamentals that apply to all aspects of digital defense. We’ll rotate back to the Gala community specifically soon, but for now these are fundamentals that everyone should learn, and that are often highly exploited in the blockchain world.
What Makes a Password Secure?
Nearly everybody has countless passwords across their digital profile, so you’d think that creating secure passwords is a skill that everybody just picks up early on in life. Unfortunately, despite most people knowing better, many people are still using incredibly unsafe practices with their passwords that can leave your digital assets vulnerable to the bandits of the blockchain frontier.
Increases in technology bring many extra tools to help keep your assets secure, but also give your enemies more sophisticated weaponry to use against you, which makes it more critical than ever to use strong and secure passwords throughout your entire online ecosystem.
Length and Variety
Different platforms have differing minimum criteria for the length and character variety of passwords, and it’s never a bad idea to go overboard. With current computing power, a cybervillain could potentially attempt billions of passwords per second. While this may be limited somewhat by network security features on some platforms, longer and more varied passwords mean more combinations will be required to guess yours.
If you were using a 7-digit password that consisted only of numbers, that password would have 10 million possible combinations (0000000-9999999). Take that same 7-digit password and include capital and lowercase letters as well– now you have 62 possible characters per digit. This would increase the possible combinations of correct answers to a little over 3.5 trillion, still with only 7 characters in the password.
Uniqueness
Not only do you want your passwords to be unique for each of your accounts, but ideally you want them to not be a combination of characters that no one else would have ever thought of in their wildest dreams. Including dictionary words or common mnemonics like a year could leave you vulnerable to hackers looking for low hanging fruit.
Your password shouldn’t be something familiar or easy to remember– the entire point is to make it something that only you know.
This may seem like common sense to many digital veterans, but repeatedly data breaches have shown that things like “password”, “123456” and “qwerty” are the most commonly used passwords throughout the world. Using any common phrases in your passwords makes you the nice, soft target that the enemies of digital sovereignty are after.
Fun Fact: According to a study last year by NordPass, here are the top 10 passwords used worldwide:
1. 123456
2. admin
3. 12345678
4. 123456789
5. 1234
6. 12345
7. password
8. 123
9. Aa123456
10. 1234567890
Don’t be like these people. Make your passwords secure.
Anonymity
If someone is going to try to penetrate your personal passwords, the best place to start is often for them to know their enemy– you! If personal information that they can glean from public records or social media gives them insight into what your passwords may be, they may be able to breach all of your security before you even see them coming.
Using your birth year, your pets’ names, your children’s names or anything simple to guess with just a little information about you is incredibly unwise. Especially if you use similar mnemonics on all your passwords, one glance at your Instagram profile may have given a hacker all they need to clean out your digital hoards.
Common Password Vulnerabilities
Constructing strong and secure passwords certainly helps keep your defenses high. Secure passwords can still have vulnerabilities, however, and it’s extremely important to know all the angles that your password security could potentially be attacked from.
The Human Element
While many insecure passwords are often “brute forced” by miscreants with a program that can guess combination after combination, some are obtained through phishing attempts as we’ve discussed in our previous Guardian Papers profiling the common scams in the blockchain world. This is never to be taken lightly, as criminals will continue to develop new ways to trick your information out of you.
Your passwords are yours, and should never be shared. Even here at Gala, we’ll never ask for your password or keys– anyone who does is up to no good.
Even if you have excellent security and top-notch passwords, one error in judgment can still be exploited to ransack your digital fortress. There is no reason to share personal data or password information with anyone over email, Discord or any social media.
The scammers multiply because their methods get results. This is why it’s absolutely critical that the community here at Gala and throughout the entire blockchain frontier helps educate and empower their fellow digital pioneers. Once every member of the blockchain world is familiar with and prepared to fight off these attacks, these monster’s food source will dry up.
Data Breaches
As massive data breaches have repeatedly shown in recent years, even secure information can be compromised and leaked when the defenses of organizations that you trust are compromised. If your passwords are stored with an organization who has been breached, you need to consider that password or any variation on it compromised forever. After a breach, that information is compiled in lists and distributed all over the dark side of the digital world, and information is forever.
In 2020, white hat hacking group FireEye identified a worldwide breach in the SolarWinds software. SolarWinds was a network management company with a global presence, and over 18,000 compromised clients were identified in the breach. FireEye noticed the breach quite by coincidence, but the systems had been compromised for more than a year.
This breach was later determined to be coordinated by the Russian Foreign Intelligence Service, and by leveraging the breached systems within SolarWinds for many months, they were likely able to access a significant portion of protected information across the entire global internet.
Read more about the breach from the US Government Accountability Office.
To limit your vulnerability to data breaches that are beyond your control, never use the same password on more than one account. If one of your accounts is compromised, the last thing you want is for that to just open the door to all your defenses. Changing your password frequently will help you stay ahead of any breaches that may happen.
Most importantly, don’t trust your password information to entities when you don’t have to. Always think critically about whether you really want to share sensitive information with organizations before you have a chance to regret it. Rather than having a device remember your sensitive passwords, store them offline whenever possible– an old fashioned paper and pencil is about as unhackable as you can get.
Password Managers and Single Sign On
Password managers and single sign on (SSO) can be a great way for people to securely protect their individual credentials without getting lost in the tangle of hundreds of secure and confusing passwords.
These tools crucially only work, however, if you use them securely. If you aren’t going to follow good security practices without a password manager, then putting all your credentials into one could just be shoving your eggs all in one basket for a scammer.
If you choose to use a password manager, make sure that you follow all recommended precautions and protect your credentials to that password manager. Make sure you are choosing a reputable and well-known password manager to use… the last thing you want is to try some brand new password manager, only to find that you’ve been had by a phishing attempt that now has all your passwords!
Hold the Line
Most of the time that digital defenses are infiltrated, it’s through the front door– a password. How secure can you expect your personal estate on the blockchain to be with a wimpy lock on the front gate? Even with the extra layers of security we’ve discussed throughout this series such as private keys, and the precautions we’ll discuss moving forward (looking at you 2-factor authentication!), if your passwords are penetrated the enemy is already inside your defenses.
The best way to make sure you stay entirely secure is to keep that gate locked tight.
Maintaining secure passwords and protecting them from the grips of the enemy prevents any part of your digital profile from being compromised. Even one account being breached represents a chink in your armor that could then give way to other vulnerabilities. Keep your defenses battle ready at all times and don’t let anything past your guard.
The Advance Guard
As we continue to advance through The Guardian Papers, it’s our hope here at Gala Games that we’re contributing a collection of resources for the community to reference and share, so that we can all power-up our defenses against those who would do us harm.
For our next installment, we’ll stick to fundamental security and discuss 2-factor authentication and multi-factor authentication. As this series progresses beyond this module, we’ll rotate to an increasing focus on issues that are incredibly relevant to not only the community here at Gala Games, but the entire cryptoculture as well.
It is our sincerest hope that this series not only empowers you to defend your sovereignty on the blockchain, but also inspires you to empower others throughout our beloved community.
Welcome back to The Guardian Papers, the series where we help bolster the security super sense of our community on GalaChain and beyond! Today we’re continuing our dive into the world of cons and villainy as we explore the methods that scammers use to deceive unwitting marks. Educate yourself on their methods, and soon you’ll be a defender of others rather than a target!
Scam Profile: Too Good to Be True
Hey there! Would you like to amass riches without any effort whatsoever?
If you answered yes to this question, you may be a human being!
Seriously, everyone wants this. This is what the scammers out there are counting on, and how they reliably reel in their prey.
Rather than exploring how scammers deceive you like last time, today we’re getting a bit more cerebral. We’re talking about the bait – the incentives that scammers will use to get you to throw aside caution and logic to dive head first into their trap.
If something seems too good to be true… it probably is.
Common Motivations
We’re living in a material world… and the vast majority of us are material people. That doesn’t mean we’re obsessed with our stuff or money hungry, but most people live in a state where an infusion of money could totally change their lives. Whether it’s an increase in living standards, a better life for our kids or simply a way out of debt, most humans have an amount of money that will reliably spur their motivation.
The amount of easy money that may light a fire under us may differ, but the important thing is that the scammers know there is likely an amount that will push caution and logic out of your head and replace it with dreams of escaping whatever financial situation you’re worried about or transforming your life for the better. This is exactly what they’re counting on.
Once they’ve got you dreaming about easy money, they can count on your critical thinking skills being less engaged. After that, all they have to do is keep you on the line and let you dream.
Preying on Need and Greed
We all have needs to survive. The scammers out there can capitalize on this to make you justify some degree of trust or risk. Sometimes, they get you in the door with only fairly unbelievable claims… the level where your curiosity is piqued, but your brow may still be furrowed.
We don’t know what your job searching experience is… but from the writer of this article’s perspective, tech jobs at major metropolitan competitive prices don’t just drop into cold calls without some major strings attached.
The wages given are very high for someone sliding in to mass announce job openings. That having been said, they are not high for competitive jobs within the industry for the very qualified. The intention is that your brain says it’s implausible… but not impossible. So you DM out of curiosity. Then they have a direct line to work on you hard.
At the point they get you into their DMs or on their site, there are any number of scams that they could attempt to run on you. The important thing is that they now have you where they want you, thinking about what that money could do for you.
Sometimes these types of scams run a little more flagrantly too good to be true. As the reward is cranked up however, our mind has a way of justifying a greater amount of perceived risk.
In the case of this DM (that I received four of at the exact same time from four different accounts 🙄) they’ve abandoned the idea of believability. Instead, they’ve employed several ‘hard sell’ techniques to make the target careless enough to slip up.
First, there’s the ludicrous amount of free money they’re offering. They temper this free thousands of dollars worth of ETH by having the target ranked third… leaving a quiet voice in the back of your head saying, “Surely if it was a scam they’d have put me in first.”
Then there’s the time sensitivity. You only have 24 hours to activate your code! Oh no! No time to hesitate!!! Your decision-making reactively goes into high-pressure mode, making quick decisions with less information than it normally would. Of course once you go to their site, you’ll be asked to connect your wallet to get your winnings. Then they have access, and you are drained.
Note the inconsistencies across the messaging. “You have been RANDOMLY selected among users of Crypto Discord Servers.” AND “If you don’t know what is crypto and how to use it – ignore this message”. But how can both those things be needed? Why would they send this to someone who didn’t know ‘what is crypto’ if they selected participants from among crypto communities only? 🤔
Think about that… selected from “Crypto Discord Servers”. That makes sense for an airdrop of some new token from a brand new ecosystem trying to get its name and token out there… but what would a trading platform have to gain by giving away so much to people who are NOT already part of their platform?
There’s no CTA to sign up. No email opt-in to enter. No marketing win for the company who fronted the prize… big red flag. At best, they’re getting 3 new users out of this ~13.9 ETH prize. That’s not how marketing budgets work.
Also, did you notice how seemingly random words were capitalized throughout the message? The capital words in the first section act as subconscious triggers for your brain, priming you to follow through on the scam. When you scan the text, your brain automatically considers the capitals more important. If you’re old enough to remember the classic tag cloud on websites, think of it as that… except it’s logging keywords with your brain instead of AOL Search and AskJeeves.
Scamming Human Nature
You may be reading this and nodding your head thinking, “This kind of stuff would never work on me!” You’re probably wrong. It can work on anybody.
The reason that scammers use these tactics is that they do work. Everybody has an instinctive reaction when presented with these kinds of stimuli. We are able to overcome them by informing ourselves, but the instinct is still there. That is what scammers exploit.
If you are informed, however, you usually cease to be a target. Notice how the last example above said to ignore the message if you didn’t know what crypto was? They don’t want difficult onboarding. They want people to slide through their trap easily with just a little butter. If you are a difficult mark, you are no longer worth their time.
Most people are familiar with the classic Nigerian Prince con… again, a ‘too good to be true’ type of scam. In this type of advance payment scam you’ll often see the scammer deliberately misspell words, punctuate awkwardly or more or less just fail to perform the language they are typing in. This is because they don’t want people who think too critically to respond.
If you overlook all those obvious errors and their inconsistency with the idea of wealthy, well-educated royalty… you’ll probably overlook other things. If you spot the signs right away, the sharks don’t smell blood in the water.
Guarding Through Community Education
The way to fight these scammers is to inform ourselves and those around us. These kinds of cons are not going away as long as there is a gullible audience for them to exploit. While it’s unlikely that we’ll ever be universally free of these types of predators, we can be free of them within our community with education, support and good practices.
That is, after all, what The Guardian Papers is all about. We all come from different backgrounds. Some of this may be little more than review for some members of our community, but there are others that this is all new for.
When it comes to scammers, we really are only as strong as our weakest link. As long as the villains find an easy mark within our ranks, they will be here. With every link strong and resistant against them, they’ll go elsewhere and find somewhere else to practice their evil art. That is the strength of community.
That’s all for us this week, and that will wrap up our second module of the Guardian Papers! We’ll circle back to the methodology of scammers again in a later article, but Module 2 was designed to give you a brief overview of who the villains are and what tools they use. Hopefully you have that context and it helps you in the battle against the forces of darkness.
Next time, we’ll be starting in on Module 3. In this part of the series, we’ll shift back to proactive security and talk in more detail about these mean streets. We’ll dive into the corners of the web3 world where you tend to encounter cyber criminals and talk about how to spot them in their natural habitats.
Until then, stay safe out there heroes! Keep your wits about you, and remember to share your knowledge with your friends… our community is our greatest tool to keep us safe!
Congratulations hero, you’re ready for the second module of The Guardian Papers. In our introductory lessons, we discussed the absolute bedrock fundamentals for safely navigating the web3 frontier. Now that you’ve mastered the basics, it’s time to move on to the basics of digital self-defense in specific circumstances.
If you feel like you need a refresher on any material covered in module 1, don’t hesitate to dive back in!
When you get change back at the grocery store, do you tell them to hang onto it until next time? ...
Prepare yourself to move on from simply scratching the surface. For module 2 we’re going to dive into the underbelly of digital villainy in the web3 world, and talk about some of the most common ways that the good people of the blockchain world are preyed upon.
To protect yourself, you must first understand the danger.
Scam Profile: The Impersonator
Imagine, noble citizen of the web3 world–
You’re minding your own business, heading over to GalaSwap to make a few small trades and maximize your May Mayhem experience.
You click a handy link off Discord to gaIaswap.gala.com. It loads a little slow and the layout looks to have changed very slightly… must’ve been an update. For some reason you aren’t logged in… that’s weird, you were just a little while ago. But that can be easily fixed! Then you notice something weird after you put in your transfer code… you can’t see your balances or accept any swaps!
Suddenly panicking, you switch over to a new tab and open your inventory… oh no! Your wallet is drained! Looking back at that link… an upper-case ‘i’ sure looks a lot like a lowercase ‘L’ 😭
You’ve just fallen victim to an impersonator scam. This one may have been elegantly simple, but they come in all shapes and sizes. Even a small scam can mean total damage.
Did we even have to change the L to an i though? A link can be anything, the text that you see is just an anchor that the real URL is tied to. Case and point — where do you think this leads? Gala.com (I promise that L is not an i!)
This con relies on the scammer earning enough of your trust that you give them sensitive information before thinking twice. These types of scams get easier to recognize and rebuff as you become more experienced in the web3 world. They can also, however, almost always be prevented by maintaining normal security standards, no matter the situation.
The Personal Touch
We’re all humans and that means we’re instinctively social creatures. When a scammer is trying to gain your trust, they have two options. They can either set up an impersonal trap like we mentioned above, or they can reach out more directly to their victims. A wide-reaching trap may catch a few marks for them, but many scammers will target individuals knowing that it’s a faster way to generate the trust needed for the con to work.
Sometimes, even a simple misspelling or low effort fake name may be enough to trick someone.
In this example, someone in a hurry may not even notice that extra s before reaching out to their friendly, neighborhood Taco!
Since this scammer has Taco’s exact PFP, they are counting on the trust that people associate with that image making them let down their guard enough to get sensitive information.
Someone only has to trust the scammer for a few minutes to make a horrible mistake!
We all know to look out for scammers… and we’d all like to think that we’re far too observant for it EVER to happen to us. But it still happens.
Just because someone is a scammer doesn’t mean they’re incompetent. They know what works and how often… after that it’s just a numbers game until we all wise up to their tactics.
Here’s one we’ve all likely seen before, but they’re almost always targeted at someone who needs help and isn’t aware of what proper steps to take next.
When we want help, we want to be helped. The scammers are counting on this. When you can’t figure out what to do to fix a problem, frustration will start to build. A good scammer sees how long you’ve been looking for answers, and understands how frustrated you must be getting with the situation.
After that, it’s just a matter of providing you what you want to see in that moment – someone offering a simple and quick solution. This is the kind of situation that arguably traps the most victims for the web3 bandits.
Humans tend to see what we want to see to some degree, particularly at elevated levels of stress. If you’ve ever fallen for these types of scams, you shouldn’t feel ashamed. Many scammers out there are very good at what they do… which is why we all have to know more so we can fight back better.
This particular scammer seems to have found the ideal mark… the victim announced that they are having trouble sending $GALA and that there’s a problem with their wallet connection.
These are easy pickings for a scammer. Often when they are initiating the conversation, they’ll be attempting to extract very sensitive information, like your seed phase or transfer code. Since they know this person is having trouble connecting a wallet and sending $GALA, the bad guy wouldn’t have to gain full control over the wallet to make a buck off the poor mark. Once they can grab you in DMs, they’ll start “tech support” on it, which will often end with you either sending $GALA to their address or linking your wallet to their dApp surprisingly quickly.
The key here is trust. Once someone has your trust, they can usually make you compromise one security measure or another using some tried and tested methods.
The phrase “con man” or “con artist” comes from “confidence man.” These are criminals that have always existed, though the term first came to prominence in the mid 19th century. Even back then, everyone understood that confidence alone can often be enough to win trust. These scammers sound convincing, because that’s their profession… to be confident and gain your trust.
Here we’ve got a closer look at the profile of one scammer on the prowl. They call themself a dev in their name. Well that settles that!
Notice that “Discord Owner” is in the profile description box, meaning they wrote it in themselves. Since you see it before the “Role” section when you scroll down, however, your mind can easily just associate that name with “Discord Owner” and then Admin and Mod underneath!
They have used emojis in the about me section to make their “Admin” and “Mod” text look more official, as if that were a standard tag to denote role.
As usual, it’s all very convincing until you get down to the stuff you can’t fake. This person has been a server member for a very short time… how likely is it that they are the server owner?
Finally, we come to their role and see a simple member role. Since this info is below the lies above… will a person be more likely to disregard the information they see first or second?
When taken in isolation like this, many of these tactics seem so obvious. A scammer doesn’t have to succeed every time to make off like a bandit though. During the hustle of everyday life, there’s surely a moment or two when you let your guard down. That’s payday for the scammers.
This scammer rolls a lot of the concepts we’ve discussed into one effort. Their name isn’t particularly impersonator, but they’ve included the hexadecimal ETH prefix for a small air of authority.
They see that the victim is having trouble connecting a wallet. As we discussed above, this is a prime moment for these predators to strike.
Realistically, this scammer knows that this user is likely trying to connect the wrong address… time won’t help.
At first, the scammer is just helpful. They don’t try to immediately push too hard, even mentioning that it may just need more time.
After being given a moment to consider the helpful stranger’s advice, the mark comes straight back to the scammer and asks for their help directly. Here again, we see the scammer build trust… they don’t immediately jump on the opportunity to strike but instead tell them they should talk to an admin.
When an admin fails to respond untagged after a few minutes, the scammer is quick to jump in and mention that they’ll send the mark the right way if they’d only DM them. Once the victim has reached out via DM, they’ll likely be sent a link to another user… the impersonator admin. They could also be sent a fake help desk link as we’ve seen above.
We have to stress again… absolutely anyone can fall victim to these kinds of tactics!!! People have used these kinds of cons for generations because they work! The best way to make sure that they don’t work on you is to learn about them and know better.
Did You Know? Victor Lustig famously sold the Eiffel Tower to scrap dealers in 1925… despite not being affiliated with the French Government. Later, he pulled off the exact same swindle a second time. Don’t ever think you’re immune to a good scammer!
Staying Safe and Secure
We’re being a bit drastic because this is a serious issue. Realistically, are there scammers everywhere throughout the web3 world and you should just be suspicious of everyone all the time?
No. That’s not how this goes at all. Scammers are a part of life… wherever there is opportunity for them to make a buck at someone else’s expense, there they’ll be. Once you learn how they exploit people’s trust, however, their methods are much less likely to work on you.
It’s not just about protecting yourself though. These scammers continue to escalate and find new ways to trick unsuspecting people because there ARE people who are unsuspecting. No one should spend their entire existence paranoid that a scammer is coming to get them, but someone without any of the knowledge that we’ve discussed here probably should until they learn what they need to protect themselves.
When everyone knows how these people operate, they cease to operate. Scammers abound in web3 right now because people are not informed. New technology doesn’t only bring new opportunities for the world to culturally, economically and socially advance… it always brings an all you can eat feast to those willing to prey on the uninformed.
Guarding Yourself and Your Community
Education is the answer. There are so many assumptions people have become accustomed to making in the web2 world, where we surrender our trust to corporations in digital spaces.
In the web3 world, you maintain control over your own digital footprint. That responsibility means there’s no corporate office keeping you safe anymore… To some degree, everyone needs to be responsible for themselves and know what they are doing and why.
This is not cause to bemoan that the digital villains will always be around… this is a time to celebrate! All we have to do to get rid of this web3 riffraff is empower each other with knowledge and the tools to protect ourselves. Do your own research (more on that in a future edition!) and share what you learn with your community.
Community is important. Have people you can turn to and ask for a second opinion. Have people who will watch your back and share important information and knowledge. Have a community you trust… without having to trust some faceless corporation with ownership of all your stuff.
Imagine losing the keys to your house… in a world with all unbreakable windows where locksmiths do not exist. This is what’s at stake when we talk about private keys, one of the most important tools in the web3 world.
Welcome to the second edition of The Guardian Papers, the series in which we’re taking you through some of the most important security issues in blockchain, one by one. The future of decentralization can create opportunities for bad people as well as good ones; that’s the nature of empowerment.
We’re here to not only empower our community, but also to help equip everyone with the skills and knowledge they need to protect themselves
What Are Keys?
Keys grant you access to your assets or information on a blockchain. Just like a password, you can use your private key to access your holdings in a wallet address, but the security of a key far exceeds the security of a typical password. Passwords can be hurdles to the villains that stalk the shadows of the digital world, but cracking or brute forcing a private key is a hurdle too high for anyone to jump.
There are typically two types of keys associated with any blockchain address. A private key is your personal proof of ownership and should not be shared with anyone. This private key is known only to you, and due to blockchain’s decentralized nature your private key is how you prove to the network that the assets held at that address are actually yours. This itself prevents many of the methods that the bad guys will employ to prey on individuals in less sophisticated digital spaces.
A public key is the one that your wallet will share while transacting. Your public key is actually derived from your private key through complex mathematical calculations, but due to the high level of encryption, the process can’t be reverse engineered. This means that your public and private keys are matched pairs– one is your visible footprint on the blockchain while one is your personal access code.
DID YOU KNOW?
Though not every blockchain uses the same names for them, most use some form of private and public keys.
On the Ethereum network, your wallet address actually represents the last 20 bytes of your public key. It is expressed in hexadecimal– indicated by “0x” at the beginning of the address. Since each byte is represented in two hexadecimal digits, a full address is 42 digits long (0x+20×2)
Your GalaChain address is also expressed in hexidecimal characters. It is comprised of 24 digits, with the prefix “client|”, which can double as a unique user ID for the Gala platform.
On GalaChain, the ability to transact through the Gala platform or dApps built on chain simplifies the day to day use of your keys. Your public and private keys still control access to your on-chain items, however.
There are many independently functioning blockchains and not everything here will always be true for all of them. This is intended to be general information about how keys typically work on a blockchain, but you should always do further research to understand the specifics of any blockchain you use.
How Keys Protect Your Assets
In blockchains that use both a public and private key, asymmetric cryptography is employed to ensure that assets remain protected for a private key holder. This keeps security high even though transaction data and the public key are readily available as public information on chain.
GalaChain operates on asymmetric cryptography, just like many other chains. While your public key is used to sign transactions, your private key always stays exactly that – private.
First, your private key generates a public key with encryption software to complete the pair when you first set up your wallet. Your public key then secures data as it interacts with the blockchain so that it can only be decrypted using the private key that it pairs to. Your wallet safely stores your private key, which now is the only key that can give anyone access to your assets.
There are many nuances and exceptions to the way asymmetric cryptography works on blockchains, and there are even some chains out there that run entirely on symmetric encryption. Understanding how private keys and public keys interact and relate to each other, however, is the first step in keeping control over your crypto treasures.
It’s All In the Name
One of the key components of blockchains is transparency and history. Transaction information and data is readily available and stored within the chain itself, thus making ownership of your assets fully provable. While your public key will be visible on the network and identify your address to the chain, your private key needs to stay just that– Private!
Your private key should never be shared with anyone! This private key is designed to be stored within a wallet and should stay in one. Your private key can be imported to apps and extensions like Metamask, but make sure that you 100% trust the encryption and integrity of anywhere you are sending your private key.
If someone has that key, they then suddenly own your entire digital hoard. While your private key may be able to be recovered with a seed phrase or recovery phrase, nothing can be done to prevent anyone who gains this key from immediately accessing your wallet. This cannot be restated enough times: Any individual asking for your private key is up to no good!
DID YOU KNOW?
A wallet doesn’t actually store your currency, but rather stores and controls access to the keys that can access the address the currency is stored at.
This means offline solutions like hardware wallets store your private keys in a secure environment, not accessible remotely.
When your private key is secure in a wallet, it signs transactions without being exposed to the network because your public key recognizes its other half. Though we use alphanumeric characters to express a private key, it’s in fact a seemingly random number of hundreds of digits long– the type of math us mere mortals use to keep your defenses impenetrable. Reverse engineering a private key from a public key is something that is beyond the technology of even a real life supervillain.
Control Your Lock and Your Key
The revolution that blockchain technology represents is all about sovereignty over personal property without barriers in between you and your assets. Maintaining control over your assets opens countless new possibilities, but that comes with responsibility.
Blockchains give you sophisticated tools to protect your assets, but in the end it all comes down to you. Maintaining a thorough security infrastructure on any device that your wallet is connected to will ensure that the lock on your vault is essentially impenetrable… but any lock is easy to penetrate if you hand over the key.
Your private keys are yours and yours alone. They should never be shared with others or transmitted digitally, and should preferably be stored offline whenever possible. Your keys are direct access to your treasures, so that’s what the enemies of digital sovereignty will come after… but you’re not alone in this fight.
As long as there are easy victories to be had in our community for the bad guys, they’ll be hungry for more. Only by educating and empowering everyone within the blockchain world to protect their private keys can we shut out the brigands who seek to cheat their way through this digital frontier.
The First and Last Guard
We’ve already covered a lot of ground in The Guardian Papers on how to keep yourself secure in the decentralized world, and our next installment will take us even further yet as we explore how 2-Factor Authentication is crucial for healthy defenses.
In the world of Web3, you are the first and last guardian of your assets. This may sound overwhelming, but that is the cost of the power of controlling and owning assets without the interference of a larger organization. You have the tools at your fingertips to easily maintain defenses that can’t be matched in the pre-Web3 world.
Here at Gala, we believe that empowering the players is about more than just ownership. It represents a responsibility to educate and arm the community with the knowledge they need to protect their control over their assets. As a community, the responsibility to spread wisdom that could help any member protect themselves is carried by all of us… until none of us are threatened.
Our security on chain may be strong, but we are always infinitely stronger together.