Since the beginning of this year, TON (The Open Network) has received a lot of attention. As a public chain deeply tied to Telegram, with a huge user base, the wealth-creating effect of the new project has made users want to enter the TON ecosystem and find their own Alpha.
As the saying goes: Where there are people, there are rivers and lakes. For public chains with traffic, hackers will also gather around like sharks smelling blood.
As a public chain with technical features different from EVM, the security practices on EVM cannot be used when interacting on TON.
As a hardware wallet manufacturer that actively promotes integration with the TON ecosystem, we have compiled some security recommendations to help everyone safely embrace the TON ecosystem.
1. Choose the right wallet
Due to different technical implementations, the EVM wallets that everyone is used to using, such as Metamask, Rabby, etc., do not currently support TON, so we need to install another wallet that supports TON.
At this time, a highly secure wallet is crucial for us. We can evaluate which wallet is more suitable for us from aspects such as whether the wallet is open source and whether it supports hardware wallets. In particular, we should pay attention to whether the wallet can fully analyze transaction information. For example, when facing a phishing website on TON, when the hacker wanted to transfer some assets in my wallet, the transaction analysis results of the wallet software OpenMask and TonKeeper @tonkeeper were very different, as shown in the following figure:
A more secure wallet is like a "magic mirror" that can effectively reduce users' anxiety in identifying phishing scams. Recently, Keystone has also successfully integrated with TonKeeper. I believe that the addition of hardware wallets can greatly improve the security of users on TON.
2. Beware of common phishing methods
Like other public chains, phishing is currently the most common form of attack on TON, with the most victims.
Let’s take this opportunity to learn about the phishing methods used by hackers on TON:
1. Zero-amount transfer phishing hackers send 0 TON in batches to many addresses, and then make notes on the transfer transactions such as "To receive the 1000 TON airdrop, visit " ". Inexperienced users may be deceived and visit the phishing website and conduct the so-called collection interaction, resulting in the hackers stealing their valuable assets.
2. NFT airdrop phishing In addition to token transfers, hackers will also try to airdrop NFTs to user wallets for phishing. In addition to beautiful pictures on NFTs, phishing website URLs will also be left to deceive users. For example, in the following case, a fake fragment market link is left on the NFT airdropped to the user. When the user enters the fake market and tries to sell the airdropped NFT, he falls into the hacker's trap. Not only did he fail to sell the NFT, but other assets were transferred away. x.com/Perominar/stat
3. Beware of TON's unique "transaction comment" function. All transfer transactions on TON have an optional comment field, which we understand as a transaction comment during a bank transfer. This is a user-friendly function, but it is also used by phishing websites with ulterior motives. As shown in the figure below, hackers try to get users to transfer FISH tokens from their wallets and write "Received +xxx,xxx,xxx FISH" in the transaction comment, misleading users into thinking that they will receive more FISH tokens than the current amount, thereby confirming the transaction. Here we remind everyone not to believe anything in the transaction remarks, and we hope that in the future each wallet software can provide clearer security tips for transaction remarks.
3. Using blockchain browsers to identify fraudulent phishing
By comparing the security functions of the two, we can find that tonviewer is better at identifying fraudulent phishing: it not only gives a suspicious prompt of "SUSPICIOUS" for suspected phishing transactions, but also adds the word SCAM to the airdropped fraudulent NFT to prevent users from being fooled. Tonscan only displays information on the chain and lacks some security-related tips. We recommend that users who have just entered the TON ecosystem use tonviewer to view wallet address information first.