Investigating and Dissecting A Cryptocurrency Scam Operation
A poster to ethfinance was unfortunately taken advantage of by these malicious actors. My initial intent was to remove this campaign from the internet. Though, as my investigation progressed, I became more and more conscious of the CFAA. I would not discourage anyone who understands the implications from picking up where I left off.
The Scam
Loading the domain in your browser will instantly prompt MetaMask to connect. Doing so leads to a fake DEX. You are given a 6 digit ‘ID’ that is displayed on the front page. Below is an example of one of their scam pages.
This is all over the place. USDT-ERC20, output in ETC. They provide various addresses to deposit your funds. At least one of the addresses provided does not even have an ETH balance – without any gas money, these fraudsters were never planning to return any deposits.
I clicked on the button that was a head with headphones, presumably the support button.
You can ‘Emall‘ them at the displayed email address. Visiting the above domain in chrome showed the exact same front end as the scam we’re dealing with.
Frighteningly, they want you to ‘authenticate’.
They ask for your name and email address. Infinitely worse, they want pictures of any forms of your identification, as can be seen below.
Anyone who has completed this form should consider their identity stolen, and contact the appropriate authorities.
Offense
To begin to gain some understanding of a website, using ‘view page source’ in your browser is an extremely effective tool.
The highlighted text is Simplified Chinese for ‘page loaded’. Quite interesting.
As an attacker, this file upload form offers a massive attack surface. Of course, an experienced intruder knows what to do here. But for any ethfinanciers who would like to learn more about this, here are some resources:
https://portswigger.net/web-security/file-upload https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
https://www.aptive.co.uk/blog/unrestricted-file-upload-testing/
Or just ask ya boi!
When running a black box web application security test, /robots.txt is a critical file to access. This file is used by servers to request that web crawlers such as google not access/archive the list of URLs within the file. As you might imagine, these often times contain URLs of relative importance. Whether crawlers choose to obey is completely up to them both technically, and legally(not legal advice).
The requested /robots.txt did not directly return any confidential files or directories. Though, it resulted in a fairly significant information leak.
I unfortunately did not think to translate that Chinese text to English. Do we have any Chinese speaking ethfinanciers who can help out?
Notice that this error leaks a number of file paths on this server. At the bottom we see that the server uses ThinkPHP 3.2.0, which happens to be vulnerable to a high severity issue.
I will not fix the URL provided in the description to fit this target simply for the safety of those who do not know exactly what they’re doing. Be very careful before landing yourself in federal prison. Exploits are never guaranteed to work, even against vulnerable targets. I’d bet an ETH I could get this one to work, though.
When learning to attack a system, one thing that has to be reinforced is the idea of enumeration. I cannot find a link to an article that accurately articulates what I wish to convey. I would describe it is as the art of testing ideas, taking notes of oddities, and learning everything you can about your target system.
Here’s an example. Screenshots were not taken, but I found that files requested that lack the the extension ‘.php’ resulted in the same error shown in /robots.txt. Is it a vulnerability? No. Is it worth noting if you wish to gain a thorough understanding of your target? Yes.
I’ve seen lots of examples of security researchers bringing down scam websites without facing prosecution, but a number of things made me hesitant in this case.
The true IP address of the scammers is protected by Cloudflare. Finding the ip address of servers behind Cloudflare is an eternal challenge for attackers. https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/ seems to be extremely comprehensive and up to date. I tried every technique short of signing up for a service that requires an API key. No results, the following provides a fair explanation for that.
As @JBM noted, the website was only created a few months ago. That’s always suspicious. What about the domain listed as the support email address?
This domain is hosted by Alibaba US. That they don’t even provide an abuse contact speaks volumes.
In my brief enumeration efforts, I visited /index.php, which redirected me to /Pc/Index/index.html.
The HTML does not render properly, but this is completely different than what we were dealing with before.
At the bottom of the page we see another support email address. The highlighted text seems to show that the listed website (NOTE: not the scam domain in question) might have been a real company at some point? The registration number certainly does not comply with the new Chinese business registration numbering system, which was in full effect by 2018.
Lets use whois.domaintools.com again to find some information about this newly discovered Forex exchange domain.
The domain name has been used for at least 16 years. This scam seems to be masquerading as a possibly real, but defunct Chinese Forex exchange. Also doubling as a crypto exchange, depending on their target. Attribution has always been a touchy subject in the realm of cyber security, with that type of debate usually reserved for large-scale nation state attacks.
When we consider the prevalent usage of the Simplified Chinese language, a Chinese PHP framework, and Alibaba hosting, I’m confident in declaring this a campaign of Chinese origin. Of course, given the lack of sophistication on the part of the scammers, and the lack of geopolitical implications, this is virtually meaningless.
Stay safe,
RTPP
Responses