A phishing scam discussion.

[salad daging]

FIRST USER:  argued that such phishing scam drains it victim money from wallet automatically in a quick instant on connecting to the fake site.

I'm not sure about this user, saying that accessing a phishing site will automatically drain the balance directly, but don't know that the phishing site has been designed in such a way.
I used to access some phishing sites for curiosity and only to the extent that it is not directly drained, unless connecting the wallet.

SECOND USER: argued that connecting your wallet alone to a phishing site does not automatically drain it, ontil you the victim have to perform a signing in your of your information or wallet private key.

This makes more sense, and often the victim's mistake is from their own connecting a web wallet to a phishing site or filling out a form that asks for a seed phrase.

Regardless, just be careful with phishing sites because now there are so many phishing sites scattered.
4 days in a row I received a phishing email from Trezor.

[Stalker22]

I suppose they could both be right.  It really just depends on how the specific scam is set up.

I suppose both of them are talking from their different knowledge base and experiences, I've a friend that her wallet, Trust wallet to be precise was drained immediately she connected to a site through DAPPS section, so I believe I have seen instant connection scam before, but I haven't known anyone who had to sign a transaction before their wallets were drained.

It depends on what you mean by being "connected to a site."  In my experience, you usually have to grant specific permissions regarding exactly what a dApp can do with your wallet.  You have to be extremely careful here; I have seen users who barely read what they are confirming, which is usually why they end up with an empty wallet after visiting scam websites. 

I have also read that the website you're connected to might have an exploit designed to run an automatic unintended code on your device or even get remote access to your device and if it is achieved successfully, then the attack can remove your assets.

AFAIK, this is only possible if there is a security vulnerability in the software or hardware you are using that can be exploited. The most recent example is the vulnerability in MediaTek processors, which affects almost all Android devices on the market.

I only hope the second person is not trying to undermine the risk in connecting your wallet to scam sites because you do not know the configuration you would meet, so it is better not to even connect your main wallet to any third-party service.

Thats true.  Better to be safe than sorry.

[Zoomic]

Depends on how the site is built, there are scam Dapps which are design to extract the key to your wallet immediately you sign in that wallet connect permission, there are also those who which they need to send you something which you need to from your wallet permit it, so both of them are some how right just that one tries to use his explaination to debunk the other persons own.

If I am a scammer and I have the  opportunity to execute both type of phishing, I will obviously choose that immediately your wallet is connected, it should drain. Unless the resources to set is up is very much expensive, if not, that is the most reliable one for the scammers.

Again, anyone who is willing to connect their main wallet to an unknown or untrusted site will also be will to sign signature and complete transaction.

But for knowledge sake, if you connect your wallet, you have already given them the primary permission they need, every other things could fall in place.

[HONDACD125]

Keeping the argument between the two users aside at first, we need to understand that if the victim downloaded a wallet from a website, and then imported his key or seed phrase in that wallet, the attacker drained the wallet by gaining access to the wallet through that, because if someone has your private key or your seed phrase, they don't need any other permission to access your wallet as these are the most important things when it comes to decentralized wallets.

Now, talking about the argument or discussion, I would say it depends, because as mentioned by some other members, some wallets, especially on a mobile device where you have the app, you can access dApps directly from within the wallet, and in that case, a fake dApp might be able to access the wallet somehow as soon as the user connects to it. However, when it comes to wallet extensions on browsers, specifically on a pc, when you connect to a website, for the website to actually be able to have access to the wallet or to make transactions, the user has to sign a message for which he gets a notification. If the user signs it, then the wallet can be drained.

[FinneysTrueVision]

A phishing scam by itself doesn’t typically drain your wallet instantly. There has to be a malware deployment to go along with the phishing in order for it to be instant. A malware attack would only work if you are using a hot wallet on your device. Hardware wallets give an additional layer of protection.

Phishing scams are designed to get you to reveal your seed phrase or trick you into giving approval to a malicious contract. Attackers don’t immediately drain you until you’ve been compromised enough to give them control.

[SilverCryptoBullet]

Regardless, just be careful with phishing sites because now there are so many phishing sites scattered.
4 days in a row I received a phishing email from Trezor.

Be careful with words you used. These emails are from scammers, not from Trezor. I understand that you did not intend doing that, but writing "I received phishing email from Trezor" is like a fake news, so let's be more careful with words to use next times.

It's easy to recognize such emails as scam by looking at their email addresses which surely don't have trezor.io as their phishing sites and emails must be something different than trezor.io

trezor.io is the official website of Trezor hardware wallet.

Some tips to avoid these phishing scams.
Phishing scams.
Hardware wallet scams.

[Patikno]

The important conclusion is this: we should always check the legitimacy of a site, ensure it is official and free of any malicious activity, and always check information from the relevant community about the site you are planning to visit.

-snip-

By the way, I am curious about the case you described. Could you provide a source? Maybe, it will become clearer, if we read it carefully, and we can understand how the phishing scam site works.

I don't know if this is the reddit thread OP is talking about, but the story seems almost the same -- How I lost over $1M after installed Ledger Wallet from App Store



The victim downloaded a fake Ledger Wallet app on his Mac from the official App Store. He wasn't aware that the desktop version is only available from the ledger.com website. In this case, the second user's argument would be right, because simply downloading a fake app shouldn't have been enough to drain his funds. He must've been tricked into entering his seed phrase, or maybe he signed a transaction on his device without verifying the details. Still, his actions were very careless for someone with a huge amount of money. As explained by one of the mods there:

It is also crucial to understand that a fake app cannot autonomously drain your wallet just by being installed. A hardware wallet's security model dictates that assets can only be moved if the 24-word recovery phrase was typed directly into the fake app, or if a malicious transaction was physically approved on the Ledger device screen.

So, opinion number two is correct in this case, right? but, it seems my previous explanation wasn't quite right.

There is an important lesson to be emphasized in this case: the victim mistake who easily downloading an app from an unofficial source (Ledger, in this case). He should have verified the source, checked with the relevant community, or at least checked the official website first, then looked at the download link provided there.

By the way, I just visited the Ledger website, and found that Ledger provides a download link for macOS, but why doesn't it go to the Mac App Store when I try to click it? Shouldn't it redirect to the Mac App Store? just like clicking the download link for Android, which redirects directly to the Google Play Store? or, has Ledger not yet registered their account as an Apple Developer there? Cmiiw.

Ledger company should realize how important it is to provide their application there, because they are a company that must also take care of its customers carefully, and because there are many people who depend on that company for their finances.

[TypoTonic]

There is an important lesson to be emphasized in this case: the victim mistake who easily downloading an app from an unofficial source (Ledger, in this case). He should have verified the source, checked with the relevant community, or at least checked the official website first, then looked at the download link provided there.

Also, he either ignored or failed to see that the fake app has only 4 reviews, and a perfect 5 star rating. That was a huge red flag already.

By the way, I just visited the Ledger website, and found that Ledger provides a download link for macOS, but why doesn't it go to the Mac App Store when I try to click it? Shouldn't it redirect to the Mac App Store? just like clicking the download link for Android, which redirects directly to the Google Play Store? or, has Ledger not yet registered their account as an Apple Developer there? Cmiiw.

I'm not really sure why. They have it available on the App Store for iOS though. Anyway, the story I shared is no longer relevant. OP already found the thread he was referring to:

This is the exact story I'm referencing to in my op  How an ad cost a user 1.7 million dollars. I had to spend time to search for it cause I did not remember to save it.

You should probably add this to the OP @IjawMan.

[tabas]

Both explanations are correct. But you know these scammers are rogues that will not waste any moment after a victim falls for their trap. These wallet drainers are going to suck all the funds you've got and any kind of smart contract they do for that is going to get the victim's fund automatically. Whether to justify the explanation 1 and 2, the whole point here is to not falling for these phishing wallets and websites. And the responsibility is on us that we have to be careful with any of them not to fall for it. So, as we're always saying - always verify!