[Discussion] Protecting future customers


#1

Everyone has seen many attempts to scam ETH/BTC users into logging in at phishing websites.
Idea is very simple: protect ZEN customers by registering at least most obvious myzenwallet.io domain variations. I understand this is not our job as community to protect stupidity but in current market conditions I believe that’s an extremely good practice. Domains cost about 5$ on average, and with just 20-40 we could protect many thousands of less tech proficient users.
This is most obvious scam we could easily mitigate, and I believe there are others too.


#2

I like the sound of this, and would help to promote how ZEN is working to keep users safe at our meetups - Security,how to avoid hacking/phishing attempts, scams and best practices are the topic of the next series of events we will be holding over the next 1-3 months…Keep me posted on this please :slight_smile:


#3

Bumping this since all the FOMO we now have many more users like that. If we are going to do it, we need to do it now. Would like to hear anyone’s opinion?


#4

Good suggestion @ajesetave we will take that into consideration, i agree with you at least grab the most obvious ones.


#5

working on a short list, using https://etherscamdb.info/scams/24/ as a source. there are 2350 in total, the most dangerous being “morphs” with similar looking symbols, for example: zen -> zen wallet -> wallet are two different words. e -> ë (get’s substituted for e in slacks and few other messaging platforms) a -> á
another angle is to think about domain name: myzenwallet.io -> possible vectors of attack are: e to e or ë; a to á, w to vv, l to I or T, m to nn or n, n to m, t to l. there are other symbols for some reason scammers do not appear to be using; I don’t know domain registration rules, perhaps it’s not possible to register any other derivatives.
second vector of attack is same derivatives on different country-wide domain levels (.com .ru .de .cn etc). which is less scary compared to myetherwallet’s .com since .io implies by default something new.
so to register those alone we’d want 17 domains to fix “blinding” copies with a’s and e’s and 1300 total for less obvious ones which is probably overkill

at this point I’m trying to think of a short url which will be hard to fake in a first place. it should avoid to contain a’s, e’s, l’s and all the other fakeable letters in it.


#6

only problem is that .io domains are pretty expensive ($30 each)