If you’ve been around the cryptocurrency sphere for awhile now, you might’ve heard of the Solana SOL token. It’s value has been on the rise recently, with the SOL token having climbed over 15,000% in this year alone. This means that more and more people are looking at getting into Solana. However, this has also led to it being used in many phishing scam.
A recent post from the r/solana subreddit highlights the rising trend of Solana-related scams, where users looking to use the Phantom wallet—the most popular wallet for storing SOL tokens—inadvertently uses or downloads a fake wallet link which will then take your tokens. Following this, the firm Check Point Research did some more digging and found out that a bunch of these campaigns worked via search engine ads.
For instance, if you were to look up Phantom on Google with the intention of creating a new wallet, you may get suggested links for phishing sites made to look like the official Phantom website, typically by having one or two letters changed in the domain. These would get placed above the actual Phantom website by Google thanks to scammers using Google ad campaigns targeting those who search up Phantom.
Once a user unwittingly clicks the ad, they would see a website designed very similarly to the official Phantom wallet site, complete with an option to create a new wallet. Doing so leads to a page asking for users to remember a ‘secret recovery phrase’ for security reasons, but it’s not actually for their own wallet. Instead, it’s the recovery phrase for the scammer’s own wallet. The phishing site then proceeds to ask the user for their password too.
Upon completion of the sign up process on the fake Phantom website, it redirects the user to the real Phantom website, which asks you to add the Phantom extension to your Google Chrome browser for easy access and transfer. However, because their sign up process was done on a fake Phantom website, you’ll essentially be transferring your cryptocurrency into the scammer’s wallet.
Unfortunately, this has also been going on with the MetaMask, a popular wallet for Ethereum. Similar to the modus operandi for the Phantom scam, attacks will create a Google Ads campaign targeting those searching for MetaMask, and place their own fake website above the official website in the Google results. Here, the scammer will try to steal the user’s personal key to hijack their MetaMask wallet. Check Point have also created a video showing more examples of hackers using Google Ads campaigns to target cryptocurrency users.
Check Point advises users, especially cryptocurrency novices to be careful when creating or accessing their wallets. They note that only the extension would create your special passphrase, and so you should always check the browser URL for both an extension icon and the chrome-extension prefix:
It should also be noted that the responsibility shouldn’t just lie with the victim. One question that needs to be asked is how did these ads get approved by Google in the first place? Taking a look at Google’s own support page for the ad review process, once an ad is campaign is created with Google, the ad is processed automatically and within a day will either be approved or disapproved. This isn’t the first time they’ve allowed such crypto scams to appear on their platform either, as Steve Wozniak had previously sued YouTube and Google after allowing videos that used his likeness to promote scam cryptocurrencies.
That being said, such ads are of course against Google’s advertising policies. Among the prohibited practices in their policies include abusing the ad network to promote content that contains malware and ‘cloaking’, which is to hide the true destination of where their going to. In this case, its clear that the ads were cloaking, as they pretended to be the Phantom wallets to dupe unsuspecting victims. Google in this case needs to look at their own ad review process and see how such ads were approved before more users fall victim to this scam.
Of course, this would not be the first time hackers have used ad campaigns online to target unsuspecting users either. Facebook for example has long been used by scammers to promote fake news articles and ads where prominent people are featured, with claims that they’re now promoting a new cryptocurrency or something similar. Again, it seems that the social media platform was happy to accept payment from these scammers to boost the reach of their fake news, even at the risk of Facebook users.
As such, Malaysians are again advised to never click on these links and to always check your links and apps before giving away such crucial information. You can never be too careful, especially when dealing with your valuable materials.