Cryptocurrencies are stored in cryptographically secure, digital wallets. These wallets typically have a public and a private key. The public key is a wallet’s public representation on the blockchain: any transactions coming out of the wallet contains the wallet’s public key as the source. The receiving wallet’s public key is the destination. A wallet’s private key, on the other hand, gives the user control over the wallet and allows him/her to send transactions from it. Ideally, only the owner has access to his/her wallet’s private key. If anyone malicious gets ahold of it, you can bet s/he will empty the wallet ASAP.
Since many people tend to store a significant portion of their cryptocurrency portfolio in a single wallet, it has been exceptionally lucrative to phish for private keys. As the market has grown, so has the frequency and sophistication of phishing attacks.
Although phishing attacks are not as high profile as the hacking of cryptocurrency exchanges and ICOs, they are widespread and devastating for their victims. In fact, according to a report released by Chainanalysis (provider of Bitcoin anti-money laundering software), cryptocurrency investors have been conned out of a combined $225 million this year.
Here’s a list of cryptocurrency phishing attacks that have made their rounds recently.
MyEtherWallet.com Slackbot attacks
When I research cryptocurrency projects, one of the first things I do is join a project’s Slack group. Over the last few months, I’ve joined many many Slack groups and I’ve started seeing similar MyEtherWallet.com Slackbot phishing attacks in almost all of them (of course, the project must be based on an ERC20 token).
This is how the attack works. Slack has a feature where a user can direct @slackbot, an official messenger bot present in all Slack groups, to send a reminder message to everyone in the group. Since the message is from @slackbot, it has an aura of legitimacy to it.
The reminder message typically goes one of a few ways:
- Get a message from the project’s dev team saying that their ERC20 token’s smart contract is “experiencing some errors” and they have since “forked the smart contract”. The process was seamless and all YOU need to do is update your token contract through MyEtherWallet.com. “Failure to do so may result in a loss of your ERC20 tokens”.
- Get a message from the project stating that they are issuing an “airdrop” for free XYZ tokens. All YOU need to do is sign up for the airdrop through MyEtherWallet.com.
- Get a message from the MyEtherWallet team claiming they have been targeted by attackers recently and require their users to activate two-factor authentication by visiting their website. If you don’t do so soon, you will be at risk of losing your ERC20 tokens.
All these messages link to a fake MyEtherWallet.com website. Although the link appears on Slack as MyEtherWallet.com, once you visit it, you’re brought to a website with a link that looks very similar to but not quite MyEtherWallet.com. For example, I’ve seen
myetherwallét.com. When you’re on the phishing site, it’ll ask you to provide your wallet’s private key to access it. You can imagine what happens the moment you upload your key.
OmiseGo airdrop phishing attack - how one user lost $70,000 worth of Ether
About 2 months ago, OmiseGo announced that they were going to conduct an “airdrop” and deposit 5% of all available tokens, as reserved during the crowdsale, across every Ethereum address that had at least 0.1 Ether up to a specific block height. Each Ethereum address will get OMG tokens proportional to its share of Ether.
Attackers immediately jumped on the opportunity and based a new set of phishing attacks on the airdrop. One such attack was quite elaborate and involved fake Slackbot announcements, a fake Twitter account (https://twitter.com/OmiseCo/), and a fake OmiseGo website (https://omise-go.net/news/airdrop/). Slackbot and Twitter were used to funnel users to the fake OmiseGo website where the attack ultimately occurs.
Once on the fake website, users would scroll down to find an inconspicuous OMG airdrop calculator where the user could input his/her Ethereum address and balance to find out how much airdropped OMG they would receive. The calculation was significantly inflated in order to take advantage of the age-old vice of greed. The website then prompts the user to upload their wallet’s private key in order to register for the airdrop.
One user was scammed out of 236 Ether (about $70,000) through this method and posted on Reddit complaining about the attack. The reddit post has since been removed but the fraudulent transaction of 236 Ether out of his/her wallet is forever recorded on the blockchain.
This is one of the wallets used by the scammer and it has about 1000 Ether (about $300,000) in it.
I have to say, using a fake OmiseGo Twitter account was an ingenious move by the attackers. The last time I visited it before it was closed, it had more than 4,000 followers and it was meticulously copying every tweet from the official OmiseGo account. Of course, the fake account took infrequent opportunities to promote the fake airdrop website. With so many followers, this account must have taken quite a while to build before being used for the attack. It’s unlikely that its followers would have double checked the account after following and many of them would have been easily duped into “registering” for the airdrop.
TenX airdrop phishing attack
The TenX airdrop phishing attack appeared soon after the OmiseGo attacks. The funny thing is, TenX has never announced any intention to conduct an airdrop and yet this hasn’t stopped phishing attackers from building a fake campaign around it. I found out about this attack through yet another Slackbot message attack.
The attackers not only created a fake TenX website, they also built a fake TenX blog containing a fake airdrop announcement blog post. The fake TenX website, like OmiseGo’s, also contained an airdrop calculator. From here the attack is the same: users would calculate the amount of PAY tokens they could receive, and then be prompted to upload their wallet’s private key to register for the airdrop.
Fake Blockchain.info attacks
Blockchain.info is an incredibly popular online Bitcoin wallet service and it’s no surprise that it’s used as a base for many phishing attacks. There have been plenty of fake Blockchain.info emails and websites over the years.
One example of a Blockchain.info phishing attack involved receiving an email from email@example.com (note “blockshain” instead of “blockchain”) that requested the user to backup their wallet by visiting Blockchain.info through a link in the email. The link took the user to Blockshain.info instead of Blockchain.info and if the user were to log in on the fake website, their account would immediately be compromised. If that was not enough, the email also contained an attachment called “backup wallet.pdf.exe”. The exe extension gives away the fact that the file is very likely a virus.
Besides emails, phishing attacks have also used Google search ads as an attack vector. The attacker will run an ad for his/her phishing site with a search preview that’s very similar to the real website’s search preview. Another crucial part of the attack involves targeting keywords commonly associated with the real website. Search ads often appear above all other search results and anyone not paying attention could easily fall for them.
Fake Bittrex.com attack - how one user lost $100,000 worth of cryptocurrencies
A user posted on /r/cryptomarkets a couple weeks ago asking about how s/he was hacked for $100,000 on Bittrex. The attack was very interesting. The user did not click any Slackbot links or register for any fake airdrops, s/he simply created a Bittrex account, deposited 26 BTC, and traded the BTC for other cryptocurrencies. The next time s/he logged in, the account was emptied.
So today I went on www.bittrex.com to create an account and deposited roughly 26 BTC and traded them for other coins. Of course before doing this I did the basic verification, phone verification and enhanced verification and the 2FA authentication. I tested everything out and everything seemed fine… Then I logged out at 18:54:27 2 Hours later I come home and try to log in and it says that Bittrex is checking for my browser and that this might take up to 5 minutes. Few minutes later it goes through and asks me for my 2FA which I provide. Again it takes a long time and ends up failing. So I wait a bit and do the whole process again and when I finally log in I notice that everythings gone… All my coins were sold for btc and gone. So I check the history and this is what I see… NEW IP LOGIN UNKNOWN_IP_WITHDRAWAL_APIV1_SUCCESS NEW_IP WITHDRAWAL_APIV1_SUCCESS and then a few mins later I log in… so what happend?
According to another redditor who replied to the post, the victim most likely created a real Bittrex account via a spoofed phishing website that emulated the real website’s behaviour by issuing API calls to Bittrex (Bittrex provides a rather comprehensive API service). The account creation process would not have given the attacker access to the account because of two-factor authentication. However, when the victim tried to log in the second time, s/he would’ve provided their two-factor authentication token which was evidently passed on to the attacker. While the victim was waiting for the malicious website to respond to the second login attempt, the attacker was busy emptying his/her account.
There are two likely ways the victim could’ve stumbled upon the fake Bittrex website:
- A Google search ads phishing attack as described above
- The user’s computer was hacked and his/her network configurations were changed such that the computer would redirect the user to the fake website whenever they tried to visit Bittrex.com (yes, this is totally possible)
Either way, losing $100,000 to a phishing attack is definitely devastating and although not much can be done for the victim, let this be a lesson to everyone else. It just takes one misstep for an attacker to gain access to your wallet/account and empty it.
Cryptocurrency phishing attacks can be incredibly profitable and they will only become more prevalent as the market expands. These attacks are fueled by ignorance often found in new investors. Be safe out there and always be careful when:
- a website asks for your wallet’s private key
- a service is behaving weirdly, i.e. long wait times
- clicking Google search results to get to your exchange’s or wallet’s website
- following the project’s Twitter account (make sure it’s not a fake account)
- receiving a reminder message from Slackbot
- receiving emails from your exchanges or wallet services