Friday, 22 June 2018

Ethereum Give Away Hack using Twitter

There's an ongoing Ethereum cryptocurrency give away scam which asks the users to donate Ethereum amounts in the range 0.5 to 20 ETH and assures them 10 times return in exchange.

While this clearly sounds like an attempt to steal your coins, the attack is carried out in a very clever way.

The attacker created a fake Twitter profile of Nick Szabo using the same profile photo as the legitimate profile.

Real Twitter profile of Nick Szabo: https://twitter.com/NickSzabo4

Fake Twitter profile of Nick Szabo: https://twitter.com/YIuReNhO0V84h6B


 Figure 1

The next trick used by the attacker was to carefully choose a famous and recent tweet of Nick Szabo and comment on that tweet with details of the malicious scam as shown below:


 Figure 2

Nick Szabo's Tweet on June 21st: https://twitter.com/NickSzabo4/status/1009890204474208256

Attacker commented on this tweet with details of their scam campaign here: https://twitter.com/YIuReNhO0V84h6B/status/1009894333292666886

In order to make the tweet of the Attacker more legitimate, we can see that the tweet has 39 likes (at the time of writing).

If we expand the list of users who liked that tweet, we can see a long list of accounts with Russian usernames and each of these accounts have no tweets. This indicates that these accounts were registered by the attacker.


Figure 3 

Now, let's have a look at the website set up by the attacker to collect Ethereum.

Domain name: https://event-eth.org/
SSL Certificate from Let's Encrypt.

The website is well crafted and looks legitimate.

It includes the Ethereum address to which the users need to donate along with a QR image. All this is done to make the site look as authentic as possible.

Ethereum address of attacker: 0x1e2B6F23d0d22aa4D84FC0d417507f25c8CB9190


Figure 4

If we scroll down further on the page, it shows a bar which is used to highlight the progress of this campaign in real time. It tells how many ETH tokens are remaining to be earned.


Figure 5
 
And it also shows a list of transactions along with details of the transaction to highlight the following:

1. Sender address
2. Receiver address
3. Transcation ID
4. Amount sent

This part of the web page is crafted in a very clever way as well. If you click on the transaction ID or the addresses, you will observe that it's not possible to fetch the complete details. That's because the attacker has crafted these details only to convince the visitor that these are real transactions going on.

In addition to this, to make this look even more convincing, the values are updated in this part of the webpage in such a way that for each pair of transaction, the second transaction is 10 times the value of the first transaction.

Please be careful and aware of such attacks which are well crafted to steal Ethereum coins.

I will update more details of this attack in a follow up post.

c0d3inj3cT
0x1e2B6F23d0d22aa4D84FC0d417507f25c8CB9190
0x1e2B6F23d0d22aa4D84FC0d417507f25c8CB9190
0x1e2B6F23d0d22aa4D84FC0d417507f25c8CB9190

No comments:

Post a Comment