N.B.: This post is not for those who are already expert in recognising spoofing & phishing attacks
Today morning, I received an email from Stellar informing me that a new reward pool called Stellar Comminity Staking Marathon has been implemented into Stellar Ledger in addition to the current 1% inflation payouts. Now users have the option to claim 25% more Lumens based on their account balances.
All the details were there in their blog
A 25% rewards in a month on my total holding is huge for me, so I got very excited for it. And boy, it took me about two hours to realize that this is some scammer. But it was too hard for me to detect that.
Fortunately, I know a lot of people keep trying to scam Stellar hodlers as I used to receive several such phishing emails for availing their "new" airdrop. I ensured that all of them ended up in my spam folder. So this email was the first I received this year. And it looked very legit.
It was so legit that it became very difficult to spot any malacious act from my mobile. But 25% reward sounded so unbelievable that I couldn't trust it. So I reached to my laptop to dig in further.
I checked their official blog, website, searched google, went to CoinMarketCap to re-check the official domain for Stellar but I couldn't spot anythng suspicious.
However, two things still concerned me. One, the 25% reward and second, the time pressure that it's available for only a 30-day period starting 25th June. And if it was so, why I wasn't informed earlier.
So this became an interesting puzzle for me to solve.
Although it took about 2 hours of my time, I was ultimately able to verify that it's not legit. Of course, it shouldn't have taken this much time to me but I was too overwhelmed with the offer itself. Here I'm giving some of the screenshots for you to reveal my findings.
--> Check the address bar of this blog and verify if it is stellar.org.
Yes it is!
--> Check if there is padlock sign on the left of the domain address.
Yes it's there! So the website is secure!
--> Check the content of the blog.
It has all the past posts on official blog (all 6 pages) and this one is the latest post.
So why doubt it as something malacious?
Let's open the blog post to see if the link leads to some other domain:
No it doesn't. It opens on the same official domain.
So it must be legit
Okay, I decided that I'll stake with my Keybase wallet so that it will be safe.
But before that, I check the Stellar Acount Viewer page:
Ooops, what's this https://accountviewer.xn--stelar-6db.org domain where I need to sign in!
So there it is! You caught it!!!
I typed in the official domain https://accountviewer.stellar.org/ and found this legit pop-up as:
So it's verified that the offer was not legit and it's some phishing scam.
But the question is why did it take so much time for me to spot it. Why I couldn't do it on my mobile browser?
Well, it seems it depends on which mobile browser you are using.
When I checked it on Opera, I didn't find any way to verify this. But when I checked in Chrome, I first saw this:
But on tapping the address bar (when you do for editing it), I saw this:
You can easily spot the difference in address bar in the two screen shots above.
Hiding the actual domain name under a legit looking domain name is done using Unicode trick. For more explanation on it, please go through this article on The Guardian. It explains why some broswer support it while others do not.
So the best practice to be safe in such cases is to type in the domain name yourself (even if it's the exact same looking letters in the domain). That will solve the unicode problem and save you from scammers.
I know, most of you already knew it. But at times we get lazy and wanna take the shortcut - the conveninet route of clicking links. But beware that at times, little conveninece comes at huge cost!
I've reported this domain viz. xn--stelar-6db.org to CryptoScamDB vide reference no.: c04c0090-b7c8-11ea-82c5-af0d1559ca61