Despite the volatility that is characterizing cryptocurrencies, mining is still a lucrative business for cyber criminals. Recent academic research has shown that only the embedded cryptocurrency miner CoinHive is generating $250,000 worth of Monero every month, most of it (80%) going to just 10 individuals.
In a previous blog post, I explained the reasons why cryptojacking has replaced ransomware as the top threat:
- It provides immediate revenues
- Potentially any kind of device can mine cryptocurrency
- The attackers can leverage multiple infection mechanisms
However Mining botnets and cryptojackers are not the only attack vectors that miscreants can leverage to monetize their victims’ CPU. This blog post focuses on two additional increasingly common threats: clipboard hijackers and crypto phishing.
The Rise of Clipboard Hijackers
Discovered at the end of 2017, clipboard hijackers demonstrate that attackers have quickly learnt how to take advantage of the mechanism used to transfer crypto currencies across different users. This operation still requires sending the coins to long and hard to remember addresses (an identifier of 26-35 alphanumeric characters), and because of this complexity the users simply copy the address from a certain location or application and paste it into the application used to send the coins. This copy and paste operation is performed via the Windows clipboards.
That’s exactly what clipboard hijackers (also known as clipboard stealers) monitor, and when a crypto currency address is detected (whether it is Bitcoin, Ethereum, Monero or virtually any other currency), it is replaced with a different address under the control of the attackers. It is an obvious consequence that every transfer of virtual currency will end directly into the attacker’s virtual pockets.
Attackers are doing things in style: a recent sample has been discovered, able to monitor 2.3 million bitcoin addresses. And while the list of the victims continues to grow, users are always the weakest link of the security chain.
The reality is that transferring crypto currencies over the internet is equivalent to dealing with a bank in the real world. However, in the first case the process takes place into an open system, and the success of these attacks demonstrates that users are not completely aware of this. In this specific case, a double check on the destination address would suffice to prevent this attack from being successful.
Targeted Phishing Campaigns
According to a recent report, in the second quarter of 2018, cybercriminals were able to steal over $2.3 million via crypto phishing scams during Initial Coin Offerings (ICOs), mainly on the Ethereum platform. A very compelling window of opportunity for attackers considering that, at the time of writing, there have been 725 ICOs so far in 2018, according to CoinSchedule, with a total of $18 billion raised.
So if the user is not victim of a fraudulent ICO (and 80% of all the ICOs occurred in 2017 were fraudulent according to this study), he is still exposed to financial losses via more traditional mechanisms. The modus operandi of an ICO phishing scam is pretty straightforward: before the real Initial Coin Offering, if the investors’ database falls into the wrong hands, the attackers send fake emails to the ICO participants, purporting to be from the ICO issuer and containing links to wallets under their control, wallets where the victims will inevitably end up transferring their funds in real or virtual currency. Bee Token ($1 million worth of Ethereum stolen) and Experty ($150,000 worth of Ethereum stolen) are two example of successful crypto phishing campaigns carried on with this modus operandi.
But crypto phishing campaigns may also target other services like online wallets. Back in April MyEtherWallet, an open source Ethereum wallet service, had its Amazon DNS hijacked. Users accessing the service during the hack window were redirected to a malicious replica of the website where their private keys were phished. Needless to say, the victims had their funds drained with the attackers able to siphon off $160,000 worth of Ethereum). It is important to notice how the lack of adequate protection of a cloud service played an important role for this campaign, suggesting that security of the crypto services as a whole is not still seen as a priority.
Furthermore, the attack described above was carried on with the complicity of a phishing kit specifically created for MyEtherWallet, dubbed MEWkit. Adversaries can be very creative and determined, leveraging multiple attack vectors like the hijacking of a cloud service and a custom phishing kit developed for a specific crypto wallet service. It also shows how a traditional technique (phishing) can be tailored to automatically transfer funds from a crypto service that does not have the same barriers, in terms of security, of a traditional banking service.
It is possible that other crypto phishing kits might emerge in the future, even if at the moment bad actors have shown a particular affection for MyEtherWallet (in a later hack occurred in July, the service urged some users to transfer their funds immediately after malicious actors hacked for 5 hours the Chrome extension of Hola, a free VPN service used by a portion of its users).
Cyber criminals have quickly caught up with the crypto landscape as the phishing pages can mimic Initial Coin Offerings, exchange and wallet services, and also giveaway pages where free coins are promised (and the users overlook the basic rule: there is nothing free in this world and the internet is no exception).
But There Is Much More to Monetize…
With mining botnets and cryptojackers, miscreants aim to monetize CPU usage, with clipboard stealer malware and phishing they aim to hijack the transfer of funds.
Despite the blockchain technology is commonly associated with virtual currencies, it can have many more applications: the Ethereum white paper proposes distributed applications for identity and reputation systems, decentralized file storage, decentralized autonomous organizations, peer-to-peer gambling, and much more. A look at the list of existing distributed applications built on Ethereum shows that this is already happening… And that miscreants could have more to monetize or to hijack.
For instance, in distributed cloud storage, participants can rent unused hard drive and bandwidth to a global decentralized cloud storage network. Files are encrypted with the owner’s key, broken into pieces and distributed into the decentralized storage. In this case attackers could monetize the unused hard drive space of their victims renting it and being payed accordingly.
Other projects aim to use the blockchain to build a marketplace for energy using the existing grid infrastructure: in this case attackers could phish the API Keys (something that already happened for Binance, a cryptocurrency exchange market) and sell energy on behalf of their victims.
Phishing related to online gaming is also an interesting business landing soon on the blockchain: you could spend days and tokens to breed your CryptoKitten or train your Crypto Cristiano Ronaldo and lose everything after your account is hacked.
General Recommendations
Business and users can reduce their risk of exposure to phishing and crypto stealers:
- Governing web use with a multi-layered threat protection platform like Netskope for Web to prevent phishing and malware infection distributed via the web channel.
- Enforce an effective patch management process, and keep the corporate antivirus updated.
- Double checking the destination wallet when transferring cryptocurrencies, bookmarking the links and using only the bookmarked versions.
- Using a third-party resource like Etherscamdb to verify the reputation of the online crypto service.
- Double checking hyperlinks is also a good habitude to avoid phishing.
