Data from Etherscan shows that some crypto scammers are targeting users with a new trick that allows them to confirm a transaction from the victim’s wallet, but without having the victim’s private key. The attack can only be performed for transactions of 0 value. However, it may cause some users to accidentally send tokens to the attacker as a result of cutting and pasting from a hijacked transaction history.
Blockchain security firm SlowMist discovered the new technique in December and revealed it in a blog post. Since then, both SafePal and Etherscan have adopted mitigation techniques to limit its effect on users, but some users may still be unaware of its existence.
Recently we have received reports from the community of a new type of scam: Zero Transfer Scam. Be careful if you see suspicious 0 transfer in your wallet record:1/10
According to the post from SlowMist, the scam works by sending a transaction of zero tokens from the victim’s wallet to an address that looks similar to one that the victim had previously sent tokens to.
For example, if the victim sent 100 coins to an exchange deposit address, the attacker may send zero coins from the victim’s wallet to an address that looks similar but that is, in fact, under the control of the attacker. The victim may see this transaction in their transaction history and conclude that the address shown is the correct deposit address. As a result, they may send their coins directly to the attacker.
Under normal circumstances, an attacker needs the victim’s private key to send a transaction from the victim’s wallet. But Etherscan’s “contract tab” feature reveals that there is a loophole in some token contracts that can allow an attacker to send a transaction from any wallet
Read more on cointelegraph.com