Post by iamin114112 on Nov 9, 2024 20:39:56 GMT -8
As cryptocurrencies gain popularity around the world and new ways to store them emerge, the arsenal of tools available to cybercriminals hunting for digital money grows. Fraudsters tailor the sophistication of the technology they use and the thoroughness of their efforts to impersonate legitimate websites to how well protected the target is and how much money they can steal if they succeed. This story looks at two fundamentally different methods of email attacks on two of the most popular ways to store cryptocurrency: hot and cold wallets.
Hot wallets and attempts to hack them
A hot wallet is a cryptocurrency wallet with constant website development service access to the Internet. This is, in fact, any online service that provides storage of cryptocurrency, from crypto exchanges to specialized applications.
Hot wallets are a very popular option for storing cryptocurrency. This can be explained by the simplicity of its creation (registering with a wallet service is all you need to do) and the ease of withdrawal and conversion of funds. The popularity and simplicity of hot wallets makes them a prime target for cybercriminals. However, for this reason, and because hot wallets are always online, they are rarely used to store large amounts of money. Consequently, cybercriminals have little motivation to invest significant funds in phishing campaigns, and therefore the methods used in email attacks on hot wallets are unlikely to ever be original or sophisticated. In fact, they appear quite primitive and are aimed mainly at inexperienced users.
A typical phishing scam targeting a hot wallet user works like this: hackers send emails that appear to come from a well-known crypto exchange and ask the user to confirm a transaction or re-verify their wallet.
Example of a phishing email targeting Coinbase users
Example of a phishing email targeting Coinbase users
Once the user clicks on the link, they are redirected to a page where they are asked to enter a seed phrase. A seed phrase is a sequence of 12 (less often 24) words to restore access to a crypto wallet. In essence, it is the main password for the wallet. The seed phrase can be used to gain or restore access to the user's account and make any transactions. The seed phrase cannot be changed or restored: if you lose it, the user risks permanently losing access to their wallet, and if you give it to scammers, they can permanently compromise their account.
Input page for initial phrase
Input page for initial phrase
If a user enters a seed phrase on a fake web page, the scammers gain full access to the wallet and the ability to transfer all funds to their own addresses.
Quite simple and lacking software or social engineering, these scams usually target non-technical users. The seed entry form is usually stripped down to just the input field and the crypto exchange logo.
Phishing attacks targeting cold wallets
A cold wallet (cold storage) is a wallet without a permanent connection to the Internet, such as a dedicated device or even just a private key written on a piece of paper. Hardware storage is the most common type of cold wallet. Since these devices are offline most of the time and remote access is impossible, users tend to store significantly larger amounts of money on them. However, it would be a mistake to assume that a hardware wallet cannot be compromised without stealing it or at least gaining physical access to it. As with hot wallets, scammers use social engineering techniques to gain access to users' funds. We recently noticed an email campaign specifically targeting owners of hardware cold wallets.
This type of attack starts as a crypto email campaign: the user receives an email purporting to be from the Ripple cryptocurrency exchange and inviting them to join a giveaway of XRP tokens, the platform's native cryptocurrency.
Phishing email purporting to be from cryptocurrency exchange Ripple
Phishing email purporting to be from cryptocurrency exchange Ripple
If the user clicks on the link, they are presented with a blog page with a post explaining the rules of the "giveaway." The post contains a direct link to "registration."
Fake Ripple Blog
Fake Ripple Blog
Already at this stage, the scam shows several differences from the mass attacks on hot wallets: instead of sending the user a link to a phishing page, the scammers used a more sophisticated dive trick with a blog post. They also went so far as to carefully copy the design of Ripple's website and register a domain name that was almost identical to the exchange's official domain. This is called a Punicode Phishing Attack. At first glance, the second-level domain is identical to the original, but a closer look reveals that the letter "r" has been replaced with a Unicode character,
Additionally, the scam site is hosted on the .net top-level domain, rather than the .com domain where the official Ripple site is located. However, this may not cause any concern for the victim, as both domains are widely used by legitimate organizations.
After the user follows the link from the "blog" to the fake Ripple page, he is asked to connect to the WebSocket address wss://s2.ripple.com.
Connecting to a WebSocket address
Connecting to a WebSocket address
Next, the user is asked to enter the address of their XRP account.
Entering XRP Account Address
The website then prompts you to choose an authentication method to receive bonus tokens.
Selecting an authentication method
Selecting an authentication method
As you can see, hardware wallets top the list and are offered by scammers. Selecting Trezor redirects the user to the official website trezor.io, which allows connecting devices to web applications via the Trezor Connect API. The API is used to facilitate transactions using the hardware wallet. The scammers want the victim to connect to their website so that they can withdraw funds from the victim's account.
When a user attempts to connect to a third-party website, Trezor Connect asks them to consent to anonymous data collection and confirm that they want to connect to the website. The address of the scam site is displayed in the Punycode view as: https://app[.] xn--ipple-4bb[.] network. The scammer hopes that the user will miss the address, which is listed in small print on the side of the page.
Trezor Connect: Confirming Connection to Scam Site
Trezor Connect: Confirming Connection to Scam Site
Connecting via Ledger is very similar to Trezor, but uses the WebHID Interface method, the rest of the steps are the same.
What happens after a user connects their hardware wallet? We had to do some digging into the phishing site's code to answer this question. The website runs on an application written in Node.js. It uses two APIs:
wss://s2.ripple.com, the official WebSocket address for Ripple transactions
Phishing site API, for example: app[.] xn--ipple-4bb[.] net/api/v1/action
The scammers use these two APIs to interact with the victim's XRP account. The phishing site's API calls the WebSocket address, verifies the account details, and requests funds. To do this, the scammers spin up one-time intermediate wallets.
The intermediate account is used for only two purposes: to receive the victim's funds and to transfer them to the scammers' permanent account. This helps to hide the final destination.
Statistics
In spring 2023, Kaspersky Lab antispam solutions detected and blocked 85,362 fraudulent emails targeting cryptocurrency users. Fraudulent email campaigns peaked in March, when 34,644 messages were received. We blocked 19,902 emails in April and 30,816 in May.
Conclusion
Fraudsters understand one thing: the harder it is to get to the loot, the bigger it can be. That’s why attacks on hardware wallets, which many consider bulletproof, use much more sophisticated tactics than those used against users of online cryptocurrency storage services. While hardware wallets are indeed more secure than hot wallets, users should not let their guard down. Carefully check every detail before giving any website access to your wallet, and refuse to connect if something smells suspicious.
Additionally
An additional tab for posting information about articles, delivery or any other important content. It will help you answer the buyer's questions and dispel his doubts about the purchase. Use it at your discretion.
You can remove it or return it back by changing one checkbox in the component settings. Very convenient.
Comments
Hot wallets and attempts to hack them
A hot wallet is a cryptocurrency wallet with constant website development service access to the Internet. This is, in fact, any online service that provides storage of cryptocurrency, from crypto exchanges to specialized applications.
Hot wallets are a very popular option for storing cryptocurrency. This can be explained by the simplicity of its creation (registering with a wallet service is all you need to do) and the ease of withdrawal and conversion of funds. The popularity and simplicity of hot wallets makes them a prime target for cybercriminals. However, for this reason, and because hot wallets are always online, they are rarely used to store large amounts of money. Consequently, cybercriminals have little motivation to invest significant funds in phishing campaigns, and therefore the methods used in email attacks on hot wallets are unlikely to ever be original or sophisticated. In fact, they appear quite primitive and are aimed mainly at inexperienced users.
A typical phishing scam targeting a hot wallet user works like this: hackers send emails that appear to come from a well-known crypto exchange and ask the user to confirm a transaction or re-verify their wallet.
Example of a phishing email targeting Coinbase users
Example of a phishing email targeting Coinbase users
Once the user clicks on the link, they are redirected to a page where they are asked to enter a seed phrase. A seed phrase is a sequence of 12 (less often 24) words to restore access to a crypto wallet. In essence, it is the main password for the wallet. The seed phrase can be used to gain or restore access to the user's account and make any transactions. The seed phrase cannot be changed or restored: if you lose it, the user risks permanently losing access to their wallet, and if you give it to scammers, they can permanently compromise their account.
Input page for initial phrase
Input page for initial phrase
If a user enters a seed phrase on a fake web page, the scammers gain full access to the wallet and the ability to transfer all funds to their own addresses.
Quite simple and lacking software or social engineering, these scams usually target non-technical users. The seed entry form is usually stripped down to just the input field and the crypto exchange logo.
Phishing attacks targeting cold wallets
A cold wallet (cold storage) is a wallet without a permanent connection to the Internet, such as a dedicated device or even just a private key written on a piece of paper. Hardware storage is the most common type of cold wallet. Since these devices are offline most of the time and remote access is impossible, users tend to store significantly larger amounts of money on them. However, it would be a mistake to assume that a hardware wallet cannot be compromised without stealing it or at least gaining physical access to it. As with hot wallets, scammers use social engineering techniques to gain access to users' funds. We recently noticed an email campaign specifically targeting owners of hardware cold wallets.
This type of attack starts as a crypto email campaign: the user receives an email purporting to be from the Ripple cryptocurrency exchange and inviting them to join a giveaway of XRP tokens, the platform's native cryptocurrency.
Phishing email purporting to be from cryptocurrency exchange Ripple
Phishing email purporting to be from cryptocurrency exchange Ripple
If the user clicks on the link, they are presented with a blog page with a post explaining the rules of the "giveaway." The post contains a direct link to "registration."
Fake Ripple Blog
Fake Ripple Blog
Already at this stage, the scam shows several differences from the mass attacks on hot wallets: instead of sending the user a link to a phishing page, the scammers used a more sophisticated dive trick with a blog post. They also went so far as to carefully copy the design of Ripple's website and register a domain name that was almost identical to the exchange's official domain. This is called a Punicode Phishing Attack. At first glance, the second-level domain is identical to the original, but a closer look reveals that the letter "r" has been replaced with a Unicode character,
Additionally, the scam site is hosted on the .net top-level domain, rather than the .com domain where the official Ripple site is located. However, this may not cause any concern for the victim, as both domains are widely used by legitimate organizations.
After the user follows the link from the "blog" to the fake Ripple page, he is asked to connect to the WebSocket address wss://s2.ripple.com.
Connecting to a WebSocket address
Connecting to a WebSocket address
Next, the user is asked to enter the address of their XRP account.
Entering XRP Account Address
The website then prompts you to choose an authentication method to receive bonus tokens.
Selecting an authentication method
Selecting an authentication method
As you can see, hardware wallets top the list and are offered by scammers. Selecting Trezor redirects the user to the official website trezor.io, which allows connecting devices to web applications via the Trezor Connect API. The API is used to facilitate transactions using the hardware wallet. The scammers want the victim to connect to their website so that they can withdraw funds from the victim's account.
When a user attempts to connect to a third-party website, Trezor Connect asks them to consent to anonymous data collection and confirm that they want to connect to the website. The address of the scam site is displayed in the Punycode view as: https://app[.] xn--ipple-4bb[.] network. The scammer hopes that the user will miss the address, which is listed in small print on the side of the page.
Trezor Connect: Confirming Connection to Scam Site
Trezor Connect: Confirming Connection to Scam Site
Connecting via Ledger is very similar to Trezor, but uses the WebHID Interface method, the rest of the steps are the same.
What happens after a user connects their hardware wallet? We had to do some digging into the phishing site's code to answer this question. The website runs on an application written in Node.js. It uses two APIs:
wss://s2.ripple.com, the official WebSocket address for Ripple transactions
Phishing site API, for example: app[.] xn--ipple-4bb[.] net/api/v1/action
The scammers use these two APIs to interact with the victim's XRP account. The phishing site's API calls the WebSocket address, verifies the account details, and requests funds. To do this, the scammers spin up one-time intermediate wallets.
The intermediate account is used for only two purposes: to receive the victim's funds and to transfer them to the scammers' permanent account. This helps to hide the final destination.
Statistics
In spring 2023, Kaspersky Lab antispam solutions detected and blocked 85,362 fraudulent emails targeting cryptocurrency users. Fraudulent email campaigns peaked in March, when 34,644 messages were received. We blocked 19,902 emails in April and 30,816 in May.
Conclusion
Fraudsters understand one thing: the harder it is to get to the loot, the bigger it can be. That’s why attacks on hardware wallets, which many consider bulletproof, use much more sophisticated tactics than those used against users of online cryptocurrency storage services. While hardware wallets are indeed more secure than hot wallets, users should not let their guard down. Carefully check every detail before giving any website access to your wallet, and refuse to connect if something smells suspicious.
Additionally
An additional tab for posting information about articles, delivery or any other important content. It will help you answer the buyer's questions and dispel his doubts about the purchase. Use it at your discretion.
You can remove it or return it back by changing one checkbox in the component settings. Very convenient.
Comments