Chinese hackers use fake Skype app to target crypto users in new phishing scam

November 13, 2023 Coin Telegraph

China

Crypto security firm SlowMist has discovered 100 wallet addresses linked to a phishing scam that drained hundreds of thousands of dollars from unsuspecting crypto users.

A new phishing scam has emerged in China that uses a fake Skype video app to target crypto users

As per a report by crypto security analytic firm SlowMist, the Chinese hackers behind the phishing scam used China’s ban on international applications as the basis of their scam, as several mainland users often search for these banned applications via third-party platforms.

Social media applications such as Telegram, WhatsApp, and Skype are some of the most common applications searched for by mainland users, so scammers often use this vulnerability to target them with fake, cloned applications containing malware developed to attack crypto wallets.

*Baidu search results for Skype. Source: Baidu*

In its analysis, the SlowMist team found that the recently created fake Skype application bore version number 8.87.0.403, while the latest version of Skype is actually 8.107.0.215. The team also discovered that the phishing back-end domain ‘bn-download3.com’ impersonated the Binance exchange on Nov. 23, 2022, and later changed it to mimic a Skype backend domain on May 23, 2023. The fake Skype app was first reported by a user who lost 'a significant amount of money' to the same scam.

The fake app's signature revealed that it had been tampered with to insert malware, and after decompiling the app the security team discovered that it modified a commonly used Android network framework called okhttp3 to target crypto users. The default okhttp3 framework handles Android traffic requests, but the modified okhttp3 obtains images from various directories on the phone and monitors for any new images in real-time.

The malicious okhttp3 requests users to give access to internal files and images, and as most social media applications ask for these permissions anyway they often don’t suspect any wrongdoing. Thus, the fake Skype immediately begins uploading images, device information, user ID, phone number, and other information to the back end.

Once the fake app has access, it continuously looks for images and messages with TRX and ETH-like address format strings. If such addresses are detected, they are automatically replaced with malicious addresses pre-set by the phishing gang.

*Fake Skype app backend. Source: Slowmist*

During SlowMist testing, it was found that the wallet address replacement had stopped, and the phishing interface’s back end was shut down and no longer returned malicious addresses.

The team also discovered that a TRON chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) received approximately 192,856 USDT until Nov. 8 with a total of 110 transactions made to the address. At the same time, another ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) received approximately 7,800 USDT in 10 deposit transactions.

In all, more than 100 malicious addresses linked to the scam were uncovered and blacklisted.

Magazine: Thailand’s $1B crypto sacrifice, Mt. Gox final deadline, Tencent NFT app nixed

Crypto wallet Trezor looks into phishing campaign, exec says

October 27, 2023 Coin Telegraph

Coin Telegraph

Trezor’s brand ambassador Josef Tetek emphasized that the hardware wallet firm never asks for users’ recovery seed, PIN or passphrase.

Cryptocurrency hardware wallet provider Trezor is investigating a recent phishing campaign, as users have reported receiving phishing emails.

The anonymous blockchain sleuth ZachXBT took to his Telegram channel on Oct. 26 to alert users to a phishing attack targeting Trezor customers.

ZachXBT referred to an X (formerly Twitter) post from the account JHDN, which alleged that Trezor may have been breached after receiving phishing emails on the email account used specifically for buying the wallet.

In a similar manner to some Trezor-related phishing attacks in the past, the phishing email invites users to download the “latest firmware update” to users’ Trezor devices in order to “fix an issue in software.” According to the poster, the malicious email was sent from the email amministrazione@sideagroup.com.

It looks like Trezor may have been breached? @Trezor @zachxbt #Trezor pic.twitter.com/4lmjZE1Quk
— j (@JHDN) October 26, 2023

“Be careful this person just received a phishing email to the email address associated with their Trezor purchase,” ZachXBT wrote, adding that the social media report could point to a potential data breach for Trezor or Evri, the United Kingdom delivery company that ships Trezor devices.

ZachXBT mentioned that two other people on Reddit complained about the same Trezor phishing email today.

According to Trezor’s brand ambassador Josef Tetek, the firm is aware of the ongoing phishing campaign and is actively looking into it.

“We continuously report fake websites, contact domain registrars, and educate and warn our customers of known risks,” Tetek said, referring to multiple articles aiming to help users deal with phishing attacks. One such article says that phishing emails often redirect to download a Trezor Suite lookalike app that will ask users to connect their wallet and enter their seed.

“The seed is compromised once you enter it into the app, and your funds will then be immediately transferred to the attacker's wallet,” the page reads.

Tetek emphasized that Trezor never asks for users’ recovery seed, PIN, or passphrase, adding:

“Users should never enter their recovery seed directly into any website, or mobile app or type it into a computer. The only safe way to work with the recovery seed is as per the instructions shown on a connected Trezor hardware wallet.”

Cryptocurrency investors have been suffering from multiple phishing attacks despite many efforts to curb such scams. In September, a large crypto investor reportedly fell victim to a massive phishing campaign, losing $24 million worth in crypto assets. According to some cybersecurity reports, the number of cryptocurrency phishing attacks saw a 40% increase in 2022.

Additional reporting by Cointelegraph author Felix Ng.

Magazine: How to protect your crypto in a volatile market — Bitcoin OGs and experts weigh in

Scammers create spoof Blockworks site to drain crypto wallets

October 27, 2023 Coin Telegraph

blockworks

Phishing scammers have been spreading fake news of a $37 million dollar Uniswap exploit using a convincing fake Blockworks website.

Phishing scammers have cloned the websites of crypto media outlet Blockworks and Ethereum blockchain scanner Etherscan to trick unsuspecting readers into interacting with a phishing site.

A cloned Blockworks site displays a fake "BREAKING" news report of a supposed multimillion-dollar “approvals exploit” on the decentralized exchange Uniswap and encourages users to a faked Etherscan website to rescind approvals.

*The fake Blockworks website (left) shows a fake breaking news story of a Uniswap exploit compared to the legitimate website (right).*

The fake Etherscan website, displaying a purported token and smart contract approval checker, instead contains a smart contract that would likely drain a crypto wallet when connected.

*The phishing website (left) compared to the legitimate Etherscan website (right).*

An age check of the domains shows the fake Etherscan site — approvalscan.io — was registered on Oct. 25, with the faked Blockworks site — blockworks.media registered a day later.

Magazine: Ethereum restaking — Blockchain innovation or dangerous house of cards?

Galxe replacing 110% of funds users lost in recent front-end hack, over $400K

October 10, 2023 Coin Telegraph

Galxe replacing 110% of funds users lost in recent front-end hack, over 0K

Coin Telegraph

The platform was the victim of a phishing scam that routed users to a website that drained their wallets after they approved a transaction.

Galxe is making users whole by 110% if they lost funds in a recent hack, the firm announced on Oct. 10. “We want to express our deepest gratitude to those who are standing by us during this difficult time,” the company said.

Users’ funds will be automatically returned on Oct. 16 to the wallet addresses they were taken from unless they request other handling. The affected users will be paid in Tether (USDT) with the value calculated as of 10:00 UTC Oct. 9.

Attention Raisers!

The first October partnership campaign on Galxe is landing at 12 PM (UTC) on October 5th!

Just 200 spots are up for grabs! - FCFS!

Don't forget to flaunt your Galxe role on Discord and keep following us on Galxe for exclusive event access!… pic.twitter.com/JacShzKVXj
— CoinRaise (@CoinRaise_xyz) October 4, 2023

Users who authenticated transactions on a phishing site on Oct. 6 were affected, Galxe said in a letter to users. The hack lasted just over five hours.

In a preliminary estimate dated Oct. 10, over $396,000 of losses were recorded, in amounts ranging from over $53,000 to just pennies. The company had estimated earlier that around 1,120 users were affected by hack.

Platform co-founder Charles Wayn told Cointelegraph in a written response that Galxe is working with two security firms to track down the hacked funds. In addition, it has improved its domain name service security settings, changed its domain provider and is conducting security audits. Wayn said:

“The incident was mainly caused by [domain registrar] Dynadot resetting our account information and granting permission to an impersonator who provided fake documentation claiming to be an authorized member of Galxe.”

The Galxe protocol is a permissionless self-sovereign identity infrastructure. Its native GAL token fell from $1.20 to $1.15 on Friday, Oct. 6. It reached $1.21 over the weekend with high trading volume through Saturday morning. It had settled at $1.16 at the time of writing, according to CoinGecko.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Ordswap urges users to recover keys after losing control of website

October 10, 2023 Coin Telegraph

bitcoin ordinals

Before it was taken down, Ordswap users said the compromised website directed users to a phishing link.

Ordswap, a marketplace that allows users to inscribe, auction, and trade Bitcoin Ordinals, has devised a method for users to retrieve their private keys as it scrambles to regain control of its website domain.

In an Oct. 10 X (Twitter) post, the Ordswap X account shared an online tool that purports to help users who logged into the site through MetaMask to recover their Ordswap private keys, allowing them to move to other providers.

Source for metamask users to obtain key is now available below. You are able to import(hex) to Unisat. https://t.co/oETb7h7sA0 https://t.co/NGaaLiNNwW
— Ordswap (@ordswap) October 10, 2023

Hours earlier, on Oct. 9, Ordswap posted a stark warning to users not to connect to its domain as it was not in control of it. It pinned the issue on Netlify — a website development and hosting firm.

We are working on publishing source for metamask users to obtain their key if they have not already. The issue appears to be with Netlify, but we are still working through it. https://t.co/uYGxJkzGfj
— Ordswap (@ordswap) October 9, 2023

On the project’s Discord server, a member of Ordswap’s team and users reported that for a time, the website featured a button prompting users to connect their crypto wallet in an apparent attempt to phish users.

One X user reported the button was a wallet drainer — an increasingly popular tool deployed by crypto scammers. At the time of writing, Ordswap’s website automatically redirected to a competing marketplace RelayX.

An Ordswap team member on Discord claimed the project had not seen an impact on user private keys or assets due to the breach but added users could be compromised if they interacted with the site.

*Ordswap support team member “Bitkorn” claims the project hasn’t seen user assets impacted by the wesbite breach. Source: Discord*

In late September, the website for the Ethereum-based automated market maker Balancer was compromised in a seemingly similar attack, with attackers making off with around $240,000 worth of funds.

Balancer later said it believed the exploiters undertook a social engineering attack on its DNS service provider EuroDNS which allowed attackers to input a prompt to trick users into approving a malicious contract that drains their wallet.

Magazine: NFT Collector: Giant Swan’s gothic VR dreamscapes… royalty nightmare on OpenSea

September becomes the biggest month for crypto exploits in 2023: CertiK

October 2, 2023 Coin Telegraph

certik

The Mixin Network cross-chain protocol accounted for almost two-thirds of the crypto exploit losses in September.

September has officially become the worst month in 2023 (so far) for crypto-related exploits — with a whopping $329.8 million in crypto stolen.

On Oct. 2, blockchain security firm CertiK said the most significant contributor to the month’s totals came from the Mixin Network attack on Sept. 23 when the Hong Kong-based decentralized cross-chain transfer protocol lost $200 million due to a breach of its cloud service provider.

#CertiKStatsAlert

Combining all the incidents in September we’ve confirmed ~$332M lost to exploits, hacks and scams.

Exit scams were ~$1.9M

Flash loans were ~$0.4M

Exploits were ~$329.8M

See more details below pic.twitter.com/DMFN9LWU8V
— CertiK Alert (@CertiKAlert) September 30, 2023

Other major incidents for the month included the attacks on the CoinEx exchange and Stake.com resulting in losses of $53 million and $41 million respectively.

As reported by Cointelegraph, North Korean hacking collective the Lazarus Group has been fingered for both attacks. The latest figures from Dune Analytics claim that the group currently holds $45.6 million in crypto assets.

The attack has taken the yearly total of crypto lost to exploits to $925.4 million. July was the second-highest month for exploit losses with $285.8 million pilfered.

Meanwhile, the month also saw $1.9 million lost to exit scams, $400,000 to flash loan attacks, and another $25 million to phishing attacks, according to CertiK.

The total lost in 2023 to exploits, scams, and hacks has now totaled $1.34 billion.

According to blockchain security firm Beosin, total losses from hacks, phishing scams, and exit scams were just under $890 million for the third quarter of 2023.

Losses in Q3 even exceeded the combined sum of the first two quarters which was $330 million in Q1 and $333 million in Q2, it reported late last week.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

Celsius creditors flag renewed phishing attacks ahead of bankruptcy plan

September 20, 2023 Coin Telegraph

Bankruptcy

Creditors of crypto lender Celsius Network have reported receiving a new flood of phishing emails, likely resulting from two data breaches last year.

Creditors from bankrupt crypto lender Celsius Network are again being targeted in a new wave of phishing attacks as the crypto lender’s bankruptcy proceedings enters its final stages.

Reports on social media over the past week have shown an increase in phishing attacks from scammers impersonating Stretto, the bankruptcy services platform for crypto lender Celsius and its creditors.

One user reported receiving three phishing emails claiming to be from Celsius on Sept. 18.

Others reported receiving fake emails with malicious links attempting to impersonate Stretto, the claims agent handling the bankruptcy case.

Beware of scam email (I received this phishing email -> the scam link shown is "case-stretto. com", not "https://t.co/ZGKIKrPjl1") https://t.co/JV7yUQ6X5e
— Better World (@Scam_is_sinful) September 18, 2023

The fake website, which drops an ‘s’ from the genuine URL, pops up a connect wallet prompt which when connected allows the scammers to drain the crypto asset contents.

One analyst and business manager said that phishing attacks were likely to increase as the Celsius bankruptcy proceedings approach its final stages. He advised taking precautions and double-checking links.

I expect phishing attempts to only increase as the celsius ch.11 approaches what appears to be the final stages. Creditors will be eager to make any final last-minute changes or confirm any alleged distributions. Be extremely cautious, links are bad, and take precautions.
— Keith (@ChazzonKe) September 18, 2023

In mid-August Celsius was authorized to start sending out ballots to its customers for a vote on a proposed settlement plan. Scammers are using this to ramp up phishing attacks around the voting deadline.

According to Simon Dixon, CEO and co-founder of the online investment platform BnkToTheFuture, the final date for voting was Sept. 18 with the report scheduled for Sept. 20, and a confirmation hearing slated for Sept. 29.

Celsius intends to seek final court approval of its restructuring plan on Oct. 2.

The @BankToTheFuture Investment Banking team have been working on some models to help #Celsius Creditors vote on the disclosure statement that I’ll share on YouTube soon. For now our team has put together a timetable of important events leading up to plan conformation. pic.twitter.com/3dQduMAofP
— Simon Dixon (@SimonDixonTwitt) July 12, 2023

The phishing attacks appear to stem from previous data breaches, including a Celsius Network email server breach in April 2021 that resulted in user details being leaked, which led to malicious emails to those users.

The embattled crypto lender revealed more of its customer data had been leaked in another third-party data breach in July 2022 which led to another wave of phishing attacks.

Customers of the crypto lender have been waiting to be made whole ever since Celsius halted withdrawals in June 2022 after the collapse of the Terra/Luna ecosystem. The crypto lender filed for bankruptcy the following month.

Magazine: Simon Dixon on bankruptcies, Celsius and Elon Musk: Crypto Twitter Hall of Flame

Crypto whale loses $24M in staked Ethereum to phishing attack

September 7, 2023 Coin Telegraph

Crypto whale loses M in staked Ethereum to phishing attack

Coin Telegraph

A significant portion of the stolen funds has been transferred into the fully automatic cryptocurrency exchange FixedFloat.

A cryptocurrency whale has fallen victim to a massive phishing attack, losing millions of dollars in staked Ether (ETH) on the liquid staking provider Rocket Pool.

The investor lost their entire address balance of Lido Staked ETH (stETH) and Rocket Pool ETH (rETH) on Sept. 6, the cryptocurrency security firm PeckShield reported.

The hack was completed in just two transactions, with 9,579 stETH stolen in one and 4,851 rETH in another. At the time of the attack, the amount stolen was worth $15.5 million in stETH and $8.5 million in rETH, a staggering $24 million combined.

*Transactions in the $24 million phishing hack. Source: X*

According to PeckShield, the phisher subsequently swapped the assets for 13,785 ETH and 1.64 million Dai (DAI).

A significant portion of the DAI stash has already been transferred into the fully automatic cryptocurrency exchange FixedFloat, PeckShield reported.

SlowMist’s crypto tracking team, MistTrack, reported that most of the remaining stolen funds were transferred to three addresses.

According to anti-scam source Scam Sniffer, the victim enabled token approvals to the scammer by signing “Increase Allowance” transactions.

*“Increase Allowance” method on the phisher’s transaction. Source: Etherscan*

Allowance or access permissions are a feature of ERC-20 tokens that enable a third party to have the right to spend some tokens that belong to a different owner, using smart contracts. Some cryptocurrency observers have warned against risks associated with approving ERC-20 allowances, noting that anonymous developers could deploy malicious smart contracts to scam users.

The news comes shortly after at least five Ethereum liquid staking providers — Rocket Pool, StakeWise, Stader Labs and Diva Staking — imposed or started working to impose a self-limit rule in which they promise not to own more than 22% of the Ethereum staking market.

Magazine: Asia Express: Thailand’s national airdrop, Delio users screwed, Vietnam top crypto country

AI-coded smart contracts may be flawed, could ‘fail miserably’ when attacked: CertiK

September 6, 2023 Coin Telegraph

Coin Telegraph

CertiK’s security chief thinks inexperienced programmers using AI tools such as ChatGPT to write smart contracts is a recipe for disaster.

Artificial intelligence tools such as OpenAI’s ChatGPT will create more problems, bugs and attack vectors if used to write smart contracts and build cryptocurrency projects, says an executive from blockchain security firm CertiK.

Kang Li, CertiK’s chief security officer, explained to Cointelegraph at Korean Blockchain Week on Sept. 5 that ChatGPT cannot pick up logical code bugs the same way that experienced developers can.

Li suggested ChatGPT may create more bugs than identify them, which could be catastrophic for first-time or amateur coders looking to build their own projects.

“ChatGPT will enable a bunch of people that have never had all this training to jump in, they can start right now and I start to worry about morphological design problems buried in there.”

“You write something and ChatGPT helps you build it but because of all these design flaws it may fail miserably when attackers start coming,” he added.

Instead, Li believes ChatGPT should be used as an engineer’s assistant because it’s better at explaining what a line of code actually means.

“I think ChatGPT is a great helpful tool for people doing code analysis and reverse engineering. It’s definitely a good assistant and it’ll improve our efficiency tremendously.”

*The Korean Blockchain Week crowd gathering for a keynote. Source: Andrew Fenton/Cointelegraph*

He stressed that it shouldn’t be relied on for writing code — especially by inexperienced programmers looking to build something monetizable.

Li said he will back his assertions for at least the next two to three years as he acknowledged the rapid developments in AI may vastly improve ChatGPT’s capabilities.

AI tech getting better at social engineering exploits

Meanwhile, Richard Ma, the co-founder and CEO of Web3 security firm Quantstamp, told Cointelegraph at KBW on Sept. 4 that AI tools are becoming more successful at social engineering attacks — many of which are identical to attempts by humans.

Ma said Quantstamp’s clients are reporting an alarming amount of ever more sophisticated social engineering attempts.

“[With] the recent ones, it looks like people have been using machine learning to write emails and messages. It's a lot more convincing than the social engineering attempts from a couple of years ago.”

While the ordinary internet user has been plagued with AI-generated spam emails for years, Ma believes we’re approaching a point where we won’t know if malicious messages are AI or human-generated.

“It's gonna get harder to distinguish between humans messaging you [or] pretty convincing AI messaging you and writing a personal message,” he said.

Crypto industry pundits are already being targeted, while others are being impersonated by AI bots. Ma believes it will only get worse.

“In crypto, there’s a lot of databases with all the contact information for the key people from each project. So the hackers have access to that [and] they have an AI that can basically try to message people in different ways.”

“It’s pretty hard to train your whole company to not respond to those things,” Ma added.

Ma said better anti-phishing software is coming to market that can help companies mitigate against potential attacks.

Magazine: AI Eye: Apple developing pocket AI, deep fake music deal, hypnotizing GPT-4

MetaMask scammers take over government websites to target crypto investors

September 5, 2023 Coin Telegraph

Coin Telegraph

Official government websites from India, Nigeria, Egypt, Colombia, Brazil, Vietnam and other jurisdictions have been found redirecting to fake MetaMask websites.

Crypto scams targeting MetaMask users are using government-owned website URLs to con victims and access their crypto wallet holdings.

Ethereum-based crypto wallet MetaMask has been a long-standing target for scammers — which involves redirecting unwary users to fabricated websites that request access to the MetaMask wallets. Cointelegraph’s investigation on the matter found numerous government-owned websites being used to perpetrate this exact scam.

Official government websites from India, Nigeria, Egypt, Colombia, Brazil, Vietnam and other jurisdictions have been found redirecting to fake MetaMask websites, as shown below.

*MetaMask scammers use government websites to steal from crypto users. Source: Cointelegraph (via Google)*

Cointelegraph alerted MetaMask about the ongoing scams but did not receive a response by publication.

Once a user clicks on any of the rogue links placed within the government website URLs, they are redirected to a fake URL instead of the original URL “MetaMask.io.” Once accessed, Microsoft’s built-in security — Microsoft Defender — warns users about a possible phishing attempt.

*Microsoft’s warning against the MetaMask phishing websites. Source: Cointelegraph*

If users ignore the warning, they are greeted by a website resembling the official MetaMask website. The fake websites will eventually ask the users to link their MetaMask wallets to access various services on the platform.

*Comparison between the original and fake MetaMask websites. Source: Cointelegraph*

The above screenshot shows the similarity between the real and fake MetaMask websites, which is one of the main reasons investors fall for the scam. Linking MetaMask wallets on such websites gives scammers complete control over the assets held on those particular MetaMask wallets.

In April, MetaMask denied claims of an exploit that potentially drained over 5,000 Ether (ETH).

Recent reporting on @tayvano_’s thread has incorrectly claimed that a massive wallet draining operation is a result of a MetaMask exploit.

This is incorrect. This is not a MetaMask-specific exploit. https://t.co/MiJ3QgslMy
— MetaMask (@MetaMask) April 18, 2023

The wallet provider said the 5,000 ETH was stolen “from various addresses across 11 blockchains,” reaffirming the claim that funds were hacked from MetaMask “is incorrect.”

Speaking to Cointelegraph, Wallet Guard co-founder Ohm Shah said the MetaMask team has been “researching tirelessly,” and there is “no solid answer to how this has happened.”

Magazine: How to protect your crypto in a volatile market: Bitcoin OGs and experts weigh in

phishing

AI tech getting better at social engineering exploits

Share this video