Hackers target Friend.tech users with cunning verification scam
Users of Friend.tech — a decentralized social network — have recently been targeted by numerous hacker attacks.
Jason Janowitz — founder of crypto news outlet Blockworks — described in an Oct. 8 tweet how someone tried to hijack his Friend.tech account.
At first he received a message that posed as coming from Friend.tech’s automated assistance, pretending that the number associated with the account was being changed.
“A number change has been requested for this account. Reply with YES to appprove this change, or NO to decline. If we do not receive a response within 2 hours, the change will proceed as requested.”
The message is meant to cause someone to believe that a bad actor is trying to access his account and that he can prevent access by answering “no” to the message. What should make victims suspicious is that such a system is rather unlikely to automatically approve changes to the account if the user does not confirm the request.
After Janowitz answered “no” to the message, the hackers attempted to gain access to his account by requesting a two-factor authentication code as confirmation for the refusal to change the number. This message was then followed by a verification code sent to the user’s cellphone number after being requested by the hackers.
Someone is trying to hack my @friendtech
1) Text sent saying they’re changing my number
2) I respond no
3) They say to confirm no, send the verification code
4) Receive actual verification code from friend tech
5) After no response, they text again saying they’ll auto… pic.twitter.com/j76vI969jP
— Yano 🟪 (@JasonYanowitz) October 8, 2023
The logic behind Friend.tech asking for confirmation via a text message (to verify you can receive their texts) is flawed, as you wouldn’t be able to read their message in the first place if you didn’t have access to those texts.
Still, it is entirely plausible that a user scared that his account is about to be compromised could act impulsively and fall for the scam, Janowitz claimed.
“Simple but effective method. Sharing here so others don’t fall for it.”
Janowitz’s tweet comes after recent reports that scammers have stolen over $385,000 in Ether from Friend.tech users through SIM-swapping.
You might also like: What is Friend.tech, social platform earning over $1m in fees
SIM-swapping, also known as SIM hijacking, is a type of account takeover where hackers are able to transfer the victim’s phone number to a SIM card controlled by the attackers. Once they have your number, they can often reset account passwords and bypass two-factor authentication.
On Oct. 5, Friend.tech announced new account security features to help users protect themselves, including the ability to add and remove login methods. This followed user complaints that the platform’s 2FA passcode feature had inadvertently locked people out when their phone numbers were swapped.
According to blockchain investigator ZachXBT, a number of SIM-swap attacks targeting Friend.tech users occurred on Oct. 4. Victims reported having their accounts compromised even after taking precautions like enabling two-factor authentication.
While hackers continue to refine their techniques, experts advise all Friend.tech users to be vigilant about enabling extra login protections and not trusting unsolicited requests to share verification codes.