Man
Professional
- Messages
- 2,965
- Reaction score
- 488
- Points
- 83
The more popular cryptocurrencies become in the world, the more ways to store them appear, the more actively the arsenal of attackers hunting for digital money expands. Depending on how well the target is protected and how much money the scammers can steal in the event of a successful attack, they use more or less complex technologies, imitate legitimate resources with greater or lesser care. In this article, we will talk about two fundamentally different approaches in email attacks on the two most popular ways to store cryptocurrency - hot and cold wallets.
Hot wallets are a very common way to store cryptocurrencies. Their popularity is explained by the fact that, firstly, it is easy to create such a wallet (it is enough to register an account in one of the services) and, secondly, funds from it are easy to withdraw and convert into other currencies. Due to their prevalence and simplicity, hot wallets are the main target for attackers. But there is one small nuance: it is because of this, and also because hot wallets are always connected to the Internet, that large sums are rarely placed on them. Accordingly, attackers have no motivation to seriously invest in preparing phishing campaigns. Therefore, mail attacks on such wallets do not differ in original techniques and complex methods. On the contrary, they look quite primitive and are designed mainly for a poorly prepared user.
A typical phishing attack on the owner of a hot crypto wallet looks like this: attackers send emails on behalf of a well-known crypto exchange asking to confirm transactions or re-verify the wallet.
Phishing email targeting Coinbase users
After clicking on the link, the user is taken to a page where they are asked to enter a seed phrase. A seed phrase (or recovery phrase) is a sequence of 12 (less often 24) words required to restore access to the wallet. In essence, this is the master password for the wallet. Using a seed phrase, you can gain or restore access to the user's account and make any transactions on their behalf. The seed phrase itself cannot be changed or restored. If you lose it, the user risks losing access to the wallet forever, and if you give it to scammers, you can irreversibly compromise your account.
Seed Phrase Input Page
If a user enters a seed phrase on a fake page, the attackers gain full access to their wallet and can withdraw all funds to their addresses.
Such schemes are usually designed for the mass user. They are quite simple, they do not contain any complex technical methods or psychological tricks. The seed phrase input form is usually minimalistic: the page does not contain any additional elements, except for the input field itself and the exchange logo.
The attack starts in a similar way to mass mailings on the topic of cryptocurrency – the user receives a letter from the Ripple crypto exchange with an offer to participate in the distribution of XRP tokens – the platform’s internal cryptocurrency.
Phishing email from Ripple crypto exchange
When clicking on the link, the user is taken to a blog page with a post explaining the rules of the "promotion". The post contains a direct link supposedly to registration.
Fake Ripple Blog
Already at this stage we see differences from mass attacks on "hot" wallets: instead of immediately sending a link to a phishing page, the attackers used a complex scheme with immersion using a blog. In addition, they carefully copied the design of the Ripple website and registered a domain almost identical to the official domain of the exchange. The method used to forge a domain name is called a punycode attack - at first glance, the second-level domain completely matches the original, but upon closer analysis we see that the letter r is replaced with a Unicode symbol using the cedilla sign:
In addition, the attackers placed their resource in the .net domain zone, and not .com, where the official Ripple website is located. However, legitimate organizations widely use both domain zones, so a domain that looks like ripple.net may not arouse suspicion in the victim.
After the user follows the link from the "blog" to the fake Ripple page, he is asked to connect to the web socket wss://s2.ripple.com.
Connecting to a web socket
The next step is for the user to enter the address of their XRP account.
The user is asked to enter the address of the XRP account.
After this, the site offers to choose which method the user wants to use to log in to receive bonus tokens.
Selecting an authorization method
As we can see, hardware wallets are first on the list, and the attackers recommend using them. If you select Trezor, the user will be redirected to the official website trezor.io, which has a function for connecting the device to web applications via the Trezor Connect API. This API is used to simplify transactions using a hardware wallet. The attackers want the victim to connect to their site and allow them to withdraw money from their account.
When a user tries to connect to a third-party resource, Trezor Connect asks for consent to anonymous data collection and access confirmation. The address of the fraudulent resource the user is connecting to is shown in the punycode representation: https://app[.]xn--ipple-4bb[.]net. The attackers' only hope is for the user's inattention: the page address is shown in small print on the side, so it is easy to miss.
Trezor Connect: Confirming Connection to Fraudulent Resource
In the case of Ledger, the scheme is almost the same, but involves connecting a hardware wallet via the WebHID interface. The rest of the attack steps do not change.
What happens after the user connects their hardware wallet? To answer this question, we had to dig a little into the phishing site code. The entire site is run by an application written in Node.js. It operates two APIs:
These two APIs are used by the attackers to work with the victim's XRP account. The phishing site's API accesses the web socket, verifies the account information, and then sends a request to the web socket to withdraw funds. For this purpose, the attackers generate one-time intermediate wallets.
Withdrawal request:
Answer and description:
* Attackers generate a new address each time.
The intermediate account is used for only two transactions: to receive funds from the victim and to transfer them to the permanent account of the scammers. In this way, the scammers hide the final address from detection.
Source
Hot wallets and attempts to access them
A hot wallet is a cryptocurrency wallet with constant access to the Internet. In fact, it is any online service that provides cryptocurrency storage services: from crypto exchanges to specialized applications.Hot wallets are a very common way to store cryptocurrencies. Their popularity is explained by the fact that, firstly, it is easy to create such a wallet (it is enough to register an account in one of the services) and, secondly, funds from it are easy to withdraw and convert into other currencies. Due to their prevalence and simplicity, hot wallets are the main target for attackers. But there is one small nuance: it is because of this, and also because hot wallets are always connected to the Internet, that large sums are rarely placed on them. Accordingly, attackers have no motivation to seriously invest in preparing phishing campaigns. Therefore, mail attacks on such wallets do not differ in original techniques and complex methods. On the contrary, they look quite primitive and are designed mainly for a poorly prepared user.
A typical phishing attack on the owner of a hot crypto wallet looks like this: attackers send emails on behalf of a well-known crypto exchange asking to confirm transactions or re-verify the wallet.
Phishing email targeting Coinbase users
After clicking on the link, the user is taken to a page where they are asked to enter a seed phrase. A seed phrase (or recovery phrase) is a sequence of 12 (less often 24) words required to restore access to the wallet. In essence, this is the master password for the wallet. Using a seed phrase, you can gain or restore access to the user's account and make any transactions on their behalf. The seed phrase itself cannot be changed or restored. If you lose it, the user risks losing access to the wallet forever, and if you give it to scammers, you can irreversibly compromise your account.
Seed Phrase Input Page
If a user enters a seed phrase on a fake page, the attackers gain full access to their wallet and can withdraw all funds to their addresses.
Such schemes are usually designed for the mass user. They are quite simple, they do not contain any complex technical methods or psychological tricks. The seed phrase input form is usually minimalistic: the page does not contain any additional elements, except for the input field itself and the exchange logo.
Phishing targeting cold wallets
A cold wallet (or cold storage) is a wallet without a permanent connection to the Internet. It can be a separate device or even a private key written on a piece of paper. The most popular type of cold wallets are hardware wallets. Since these devices are offline almost all the time and cannot be accessed remotely, users store significantly larger amounts on them than on hot wallets. However, it would be a mistake to think that a hardware wallet cannot be compromised without stealing it or, at least, without gaining physical access to it. As with hot wallets, attackers use social engineering to get to the user's assets. For example, not long ago we noticed an email newsletter that was aimed specifically at owners of hardware cold wallets.The attack starts in a similar way to mass mailings on the topic of cryptocurrency – the user receives a letter from the Ripple crypto exchange with an offer to participate in the distribution of XRP tokens – the platform’s internal cryptocurrency.
Phishing email from Ripple crypto exchange
When clicking on the link, the user is taken to a blog page with a post explaining the rules of the "promotion". The post contains a direct link supposedly to registration.
Fake Ripple Blog
Already at this stage we see differences from mass attacks on "hot" wallets: instead of immediately sending a link to a phishing page, the attackers used a complex scheme with immersion using a blog. In addition, they carefully copied the design of the Ripple website and registered a domain almost identical to the official domain of the exchange. The method used to forge a domain name is called a punycode attack - at first glance, the second-level domain completely matches the original, but upon closer analysis we see that the letter r is replaced with a Unicode symbol using the cedilla sign:
Code:
https://app[.]xn--ipple-4bb[.]net -> https://app[.]ŗipple[.]net/In addition, the attackers placed their resource in the .net domain zone, and not .com, where the official Ripple website is located. However, legitimate organizations widely use both domain zones, so a domain that looks like ripple.net may not arouse suspicion in the victim.
After the user follows the link from the "blog" to the fake Ripple page, he is asked to connect to the web socket wss://s2.ripple.com.
Connecting to a web socket
The next step is for the user to enter the address of their XRP account.
The user is asked to enter the address of the XRP account.
After this, the site offers to choose which method the user wants to use to log in to receive bonus tokens.
Selecting an authorization method
As we can see, hardware wallets are first on the list, and the attackers recommend using them. If you select Trezor, the user will be redirected to the official website trezor.io, which has a function for connecting the device to web applications via the Trezor Connect API. This API is used to simplify transactions using a hardware wallet. The attackers want the victim to connect to their site and allow them to withdraw money from their account.
When a user tries to connect to a third-party resource, Trezor Connect asks for consent to anonymous data collection and access confirmation. The address of the fraudulent resource the user is connecting to is shown in the punycode representation: https://app[.]xn--ipple-4bb[.]net. The attackers' only hope is for the user's inattention: the page address is shown in small print on the side, so it is easy to miss.
Trezor Connect: Confirming Connection to Fraudulent Resource
In the case of Ledger, the scheme is almost the same, but involves connecting a hardware wallet via the WebHID interface. The rest of the attack steps do not change.
What happens after the user connects their hardware wallet? To answer this question, we had to dig a little into the phishing site code. The entire site is run by an application written in Node.js. It operates two APIs:
- wss://s2.ripple.com — official web socket for working with Ripple transactions;
- Phishing site API (e.g. app[.]xn--ipple-4bb[.]net/api/v1/action).
These two APIs are used by the attackers to work with the victim's XRP account. The phishing site's API accesses the web socket, verifies the account information, and then sends a request to the web socket to withdraw funds. For this purpose, the attackers generate one-time intermediate wallets.
Withdrawal request:
Code:
{
"command": "get_payment"
"account": victim_address,
"transactionType": "Payment"
}Answer and description:
Code:
{
"success": true,
"data": {
"TransactionType": "Payment",
"Account": victim_address,
"Fee": "10",
"Sequence": 391,
"Destination": "rU53pnJzEv2mrtck…"*,
"Flags": 2147483648,
"Amount": "xxx",
"LastLedgerSequence": 79548458
}
}The intermediate account is used for only two transactions: to receive funds from the victim and to transfer them to the permanent account of the scammers. In this way, the scammers hide the final address from detection.
Conclusion
Attackers understand one simple truth: the more difficult it is to get to the profit, the more there is likely to be. Therefore, when attacking what many consider to be virtually invulnerable hardware wallets, much more complex tactics are used than when attacking users of online services. Although hardware crypto wallets are indeed more reliable than hot ones, their owners should remain vigilant. Before giving any resource access to your wallet, you should carefully check all the data and refuse to connect at the slightest doubt.Source
