On January 22, 2024, according to monitoring by Beosin's EagleEye security risk monitoring, early warning and blocking platform, a major crypto player suffered a phishing attack, resulting in 4.2 million The key point of loss is the Permit signature that we often refer to.

Beosin and blockchain security researchers earlier Spinach jointly researched and published "Is Your Signature Stolen?" If you have used Uniswap, please be careful! "Secret Permit2 Signature Phishing" security research article, the article describes in detail how attackers use the permit2 function to launch phishing attacks on users,The attack principle used in this incident is the same as the permit2 described in the article The attack methods are basically the same, except that permit is targeted at erc20 contracts that support this function, while permit2 can be targeted at all erc20 contracts.

In this article, let’s take a look at what attackers generally use to trick users into signing fraudulent information, as well as some security prevention techniques. .

What is Permit signature phishing?

Permit signature is a specific digital signature mechanism used to simplify authorization operations in certain situations. It is a secure verification method based on blockchain technology and cryptography principles.

In traditional digital signatures, the signer needs to have a private key to sign specific data, and transmit the signed data together with the public key to Verifier. The verifier uses the corresponding public key to verify the validity of the signature.

Permit signatures, however, take a different approach. It allows the holder to grant access to specific operations to others by signing a special authorization message without directly transmitting the private key to the licensee.

Permit signature phishing takes advantage of users' lack of careful verification or understanding of authorized operations to obtain unauthorized permissions or sensitive information. This attack exploits users' trust in the authorization process or signature mechanism and deceives users into generating forged authorization operations or signature requests.

What Permit signature phishing attacks do hackers usually use?

Forged authorization request:

Attack An attacker may create a legitimate-looking authorization request to deceive the user's trust. This may involve fake apps or websites that ask users to provide their authorization or signature to perform an action.

Misleading user operations:

An attacker may deceive Users make mistakes to carry out attacks. For example, they might create a button that appears harmless but actually triggers an authorized action without the user's approval.

Fake authorization page:

An attacker may forge A page similar to the normal authorization page to lure users to perform authorization operations. These pages are often designed to look almost identical to normal authorization pages to trick users into believing they are interacting with a legitimate app or service.

Social Engineering:

An attacker may use social engineering Techniques, such as sending phishing emails, text messages or social media messages, to guide users to click on malicious links or enter fake authorization pages.

How to protect yourself safely?

Considering some phishing attacks with Permit signatures, researcher Spinach has previously given us some effective prevention methods:

1 Understand and identify the signature content:

Permit signature format usually includes Owner, Spender , value, nonce and deadline are the key formats. If you want to enjoy the convenience and low cost brought by Permit, you must learn to recognize this signature format. (Downloading security plug-ins is a good choice)

We recommend the following Beosin Alert anti-phishing plug-in to all readers and friends, which can identify most phishing websites in the Web3 field and protect the security of everyone's wallets and assets.

Anti-phishing plug-in download:

https://chrome.google.com/webstore/detail/beosin-alert/lgbhcpagiobjacpmcgckfgodjeogceji?hl=en

2 Use separate asset wallets and interactive wallets:

If you have a large amount of assets, it is recommended that the assets be placed in a cold wallet and a small amount of funds be placed in the wallet that interacts with the chain, which can greatly reduce losses when encountering phishing scams.

3 Identify the nature of the token and whether it supports the permit function:

In the future, more and more ERC20 tokens may use this extension protocol to implement the permit function. You need to pay attention to whether the token you hold supports this function. If it does, then for the transaction or manipulation of the token Be extra careful and strictly check whether each unknown signature is a signature of the permit function.

4 If there are still tokens stored on other platforms after being defrauded, a complete rescue plan needs to be formulated:

When you find that you have been defrauded and the tokens have been transferred out by hackers, but you still have tokens stored on other platforms through staking, etc., you need to withdraw them and transfer them to a safe address. , then you need to know that the hacker may be monitoring the token balance of your address at all times, because he has your signature. As long as tokens appear on your stolen address, the hacker can transfer them directly. At this time, a complete token rescue process needs to be developed. The two processes of withdrawing tokens and transferring tokens need to be executed together, and hacker transactions cannot be inserted into them. MEV transfer can be used, which requires some blockchain knowledge and code. If you have basic skills, you can also find a professional security company such as the Beosin team to use transaction front-running scripts to achieve it.