FP issue - Native ice phishing (targets interacting more than once with the hacker)

Question

FP issue - Native ice phishing (targets interacting more than once with the hacker)

Closed this issue a year ago · 3 comments

Ivan1905 commented a year ago

Vasilis,

I have observed some alerts that the scam detector raised as native ice phishers but they aren't. Apparently these "targets" are interacting more than once with the hacker which does not have much sense.

Example 1:
https://explorer.forta.network/alert/0xe53ac140d314962b99b0f01646773cbc075d38dbc2d671cd79eac8258d844b36
https://polygonscan.com/address/0xdba68e83b3b97a1ef453ae687665d2e8bc6f6964

Example2:
https://explorer.forta.network/alert/0x812f18a56d83222614590f2239e400426fbd66b624c0b2d97cf34c0a9f9e6de9
https://polygonscan.com/address/0xd9611c2666024a4a4bc468bf132b7fd722a879df

Example3:
https://explorer.forta.network/alert/0x1ec5fb29802905d95f96d2003d248af52f496ce0f9e3ffe61d5c42902325c9bf
https://polygonscan.com/address/0xc8f18f2dd0c263a12635bf81fb48f5f30d9e8705

Answer 1 · 2023-05-30T14:39:01.000Z

Hi Ivan, although there is a check for every transaction that this is the first interaction between the "victim" and the "attacker", one possible solution is to repeat the check (that this was still the only interaction) just before firing the alert. This can catch a few FPs, although not the ones in which the 2nd interaction happens after the alert is triggered.

Answer 2 · 2023-05-30T16:46:33.000Z

could we apply a similar approach to what Tayfun does in the private key compromise. Emit a low severity alert, wait for some time, and if the condition still holds emit another high severity alert?

Answer 3 · 2023-06-12T14:00:09.000Z

@christian-forta, I added an alert of Critical Severity which is fired a week after the first (NIP-7)