Hackers are a notoriously cunning bunch. They will exploit anything and everything in order to make some quick but illegally money. The higher the potential payday for hacker or scammer the more likely whatever it is, is likely a target. Over the past couple of days, two instances of hackers targeting users’ cryptocurrency wallets were uncovered. In the first instance employees of the Trezor multi-cryptocurrency wallet service discovered a phishing attack against some of its users. The second recent case of user’s wallets been targeted involves a piece of malware which monitors the targets clipboard. This is done as many cryptocurrency wallets have long and hard to remember addresses meaning users often copy and paste the relevant wallet address.
The company released a statement on Sunday, July 1, 2018 warning users of the attempted phishing attack. According to the statement the phishing attack is believed to be an instance of “DNS Poisoning”. This technique involves hackers hijacking legitimate traffic to the targeted website. The traffic is then redirected to a malicious server hosting a fake website. The incident came to light when users began complaining that they encountered an invalid HTTPS certificate when landing on the assumed legitimate Trezor's web wallet portal. Generally, an invalid certificate would mean that the website on which users landed was not the actual portal, but someone posing as the Trezor. The certificate is deemed invalid since the fake website is unable to pass verification tests to determine if it is the legitimate website portal.
Once the Trezor team were alerted as to the problem, an investigation began. It was quickly determined by the team that problem faced was not a simple server error which occurs from time to time. The cause of the problem was as a result of a phishing attack. From there the team noticed that the fake website displayed two things that were not supposed to be there. The first being that there was an error message that was worded differently from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.
The second sign all was not as it should be was that the fake website was asking users to enter a copy of their “recovery seed.” According to the Trezor user manuals that users should never enter the recovery seed anywhere but the Trezor device, and never on a computer. Thus Trezor would never ask for this detail via their website. For the team, this was a dead giveaway that certain users were experiencing a phishing attack. In response to the attack, Trezor has requested the fake site be taken down. At this early stage, it is difficult to tell if any user’s wallet were compromised and any funds stolen.
Cryptocurrency Clipboard Hijacker
The second recent instance was user’s cryptocurrency wallets have been targeted was detailed by Lawrence Abrams. Cryptocurrency Clipboard Hijacker is a malware which works by monitoring the Windows clipboard for cryptocurrency addresses, and if one is detected, will swap it out with an address that they control. Unless a user double-checks the address after they paste it, the sent coins will go to an address under the attackers control instead of the intended recipient. In samples previously seen by researchers, the malware was capable of monitoring between 400-600 thousand cryptocurrency addresses via the clipboard. In the sample discovered by Abrams, the malware was monitoring approximately 2.3 million addresses. A staggering increase on what was previously thought possible.
Malware like this can ruin anyone’s day when they see funds intended for one wallet never reach it but rather enrich a cunning hacker. However, you can adopt certain best practices to avoid becoming a victim. Malware such as this runs in the background with no indication that it is even running, is it not easy to spot that you may be infected. Having an up to date anti-virus offering can go a long way in defending yourself from these kinds of attacks. Further, it is advised all cryptocurrency users double-check any addresses that they are sending crypto coins to before they actually send them. This way you can spot whether an address has been replaced with a different one that is intended. It may be a pain but it is better than finding out you sent funds to a scammer.
Targeting Wallets fast becoming the Norm
In April of this year, a hacker successfully managed to hijack the DNS server of MyEtherWallet.com, a web-based Ether wallet service. Users attempting to access the web portal were redirected to a fake version of the website in all likelihood a similar method used in the Trezor phishing attack. Those who logged in had their wallet private keys were stolen, which the attacker used to empty accounts. Like in the Trezor attack a certificate error would have occurred and the user informed of the error. However, certain users ignored the error, proceeded to log in and had their funds stolen. In total it is estimated that the hacker made off with approximately 160,000 USD worth of Ether. At the time of the attack that amounted to approximately 215 Ether. An impressive if illegal sum of money.
Other examples of similar hacks include an incident that occurred in January 2018, where hackers hijacked the servers of BlackWallet.com and managed to steal over 400,000 USD of Stellar Lumen (XLM) funds. Further in December 2017, EtherDelta suffered a similar DNS hijacking however it is still unknown how much was stolen. It is easy to see why cryptocurrency wallets are targets for hackers given the amounts hackers have managed to steal.