Thousands of EOS accounts are being scammed via an email from the ECAF, the EOSIO Core Arbitration Forum designated to defend token owners exposed to scams and to resolve disputes, but in reality, it is a fake email attempting a phishing attack.
On December 18th, in fact, many EOS accounts received transactions with a message very similar to the public notification of arbitration that is sent in case there is an ongoing dispute.
The email was sent by the ecafofficiel account and has a link to a scam website: https://eoscorearbitratioņ.io which has a different N from the normal one and is therefore difficult to distinguish from the real one.
The notice states that the account owner is the subject of a complaint that has been accepted by the ECAF.
The message continues by inviting the respondent to contact the ECAF via email or the attached link. There is also a warning that if there is no response, the arbitrator will make a decision:
“please note that failure to respond to this notification within 14 days of publication will result in the case proceeding without your response although you will be able to submit evidence at a later date providing an arbitrator’s ruling has not been made“.
All this is a phishing attempt that aims to obtain the private keys to the EOS account.
If the recipient of the notification follows the procedure proposed in the notice, he is directed towards a dispute resolution process that seems legitimate.
Information such as account name, personal data, email address and even account keys is requested.
In this way, the owner, thinking to protect his account from an ongoing dispute, does nothing but provide all the information to the fraudster and give him the opportunity to rob him.
The best thing to do is to ignore this notification, but there is a risk that someone may have mistaken this warning for a real dispute.
Although EOS is a blockchain that provides a lot of security to accounts, phishing is an attack to which all Internet users are exposed every day.
Meanwhile, since EOS was launched in mid-June, the community remains in a state of limbo waiting for the tool necessary to conduct the referendum and to find the agreement on the constitution.
In the meantime, the constitution is systematically violated and the general state of depravity strikes in an increasing way, finding its escalation in the latest scam that exploits the ECAF.
The EOS mainnet was launched together with a constitution to which all token owners must obey, but the more time passes, the more the community is realizing how inapplicable the articles of the government document are and how inefficient the EOS Core Arbitration Forum is in its execution, becoming also a source of risk for the network.
The cryptocurrency world seems to be particularly affected by the phenomenon of scams as it lacks efficient account protection and the level of education of cryptocurrency users regarding key protection is very low.
Fortunately, EOS gives the possibility to change the keys in case the account owner notices that their tokens have been unstaked.
The 72 hour unstake period is the time it takes to make EOS liquid and transferable from one account to another and is one of the ways to secure funds.
The scam that uses the authority and power of the ECAF to freeze users’ accounts is definitely a serious matter and within the EOS community there is a discussion about whether there should be arbitration on the basic level of the blockchain having the power to touch the private keys of an account.
The current constitution gives this power to the ECAF even though Block Producers may decide not to follow the order.
In November, the ECAF made history in the blockchain space by giving its first order which involved allowing Block Producers to use the esodo.wrap function to change the key authorisation of one of the accounts that was exposed to a phishing attack during the registration of the EOS account, even before the mainnet was launched.
The lack of transparency related to the case and the respondent’s failure to respond, are the arguments against such a dispute resolution method and against allowing the ECAF to touch the private keys of the accounts.
A better account and digital identity security would be the answer that could be most easily accepted by account holders.
Daniel Larimer wondered in the past whether freedom requires radical transparency or rather complete privacy.
His model of radical transparency would reduce, if not completely eliminate the attempts of hacker and phishing attacks, but it is also true that such a system would eliminate privacy.
Lately however, the creator of EOS has talked about a privacy coin that would make all transactions anonymous.