Panoramic tracking of fake wallets: in-depth exposure of the fake wallet phishing industry chain

Preface

Xiao A recently received a text message about an exchange activity, so Xiao A typed "xx wallet official" in the browser, clicked on the first link, downloaded the App-created a wallet-transferred assets, all in one go. After a while, Xiao A received a notification of successful transfer, and the balance in his wallet App - ERC20-USDT worth $10 million - was reduced to zero. Xiao A later realized that the App was fake and he had downloaded a phishing App.

On November 24 last year, SlowMist released an analysis report on the fake wallet black market - SlowMist: Fake wallet apps have caused tens of thousands of people to be stolen, with losses as high as US$1.3 billion . It is conceivable that as time goes by, the losses from thefts to this day would be astonishing.

analyze

Today we will analyze from the perspective of big data how many fake wallets there are.

1. MetaMask is currently the world's largest browser plug-in wallet. In April 2021, MetaMask's parent company ConsenSys said that the monthly active users of MetaMask wallet exceeded 5 million, a 5-fold increase in 6 months. In 2020, MetaMask officials also announced that its monthly active users increased 4 times year-on-year compared to 2019, with more than 80 million users.

MetaMask has such a huge number of users that it is naturally the first target of the black market. Let’s take a look at how many fake MetaMasks there are:

First, search through a professional browser:

The search results show that there are 20,000+ related results, of which 98% of the IP/domain names are fake scam links.

Further tracking, such as looking for MetaMask Download:

At first glance, they are all phishing websites, and people familiar with security should know that ports and services such as 888/HTTP and 8888/HTTP are the default configuration of the Baota system, and the simple and easy deployment of Baota has led to a large number of black and gray industries using it. The above-related IP/domain names are all fake fraud links that induce users to visit and download.

Let's take a closer look at something interesting.

First search: MetaMask Authorization Management (the management backend for black and gray phishing)

These are all domain names related to the black market management backend. We also collected the domain names together. Some of the captured domain names and related resolution times are shown below:

Vue+PHP environment, deployment method is as follows:

2. The authorization management of imToken is the same:

TokenPocket authorization management:

Fishing background:

Backstage related service industry chain:

3. After obtaining relevant victim information, the attacker operates through the coin withdrawal API interface:

Let's take a look at the code:

It involves basic web service JS, configuration JS, and transfer JS.

Look at this one: var _0xodo='jsjiami.com.v6'. It has to be said that the black and gray industries have surpassed most regular Web sites, and they have already implemented JS full encryption technology.

Configuration:

Here sc0vu/web3.php: "dev-master" is the php interface system used to interact with Ethereum and the blockchain ecosystem.

After analysis, it was found that after the attacker obtained the private key and other related information, he transferred the stolen assets through api.html calls. I will not go into details here.

Do you think this is the end?

Do you think their goal is just to forge phishing websites for wallets such as MetaMask, imToken, and TokenPocket?

In fact, in addition to counterfeiting these well-known wallets on the market, they also imitated and built related trading platforms for phishing. Let's take a look:

For example, under this IP, we found that in addition to the phishing page and backend, there is also other information:

Fake trading platform phishing sites, and there are more than one:

Cryptocurrency phishing platform built using Laravel framework:

A phishing site imitating the FTX platform built using the ThinkPHP framework:

Let’s take a look at the SaaS version of the phishing scam template sold directly online:

The scammer platform supports most mainstream wallets (the wallets here are also forged by them)

The phishing fraud industry chain targeting cryptocurrencies and NFTs is already very complete, with professional SaaS services, rapid deployment, and immediate launch.

Further investigation revealed the relevant backend management system. The following figure is a cloud desktop management backend, which is used to control the relevant information of the trading platform:

The classification is clear and the functions are complete. The advancement and professionalism of the black and gray industries are far beyond imagination.

Summarize

This article mainly analyzes the panorama of fraudulent wallets from a technical perspective. Wallet phishing websites emerge in an endless stream, with very low production costs, and have formed a process-based and professional industrial chain. These scammers usually use some tools to directly copy more famous wallet project websites, tricking users into entering private key mnemonics or inducing users to authorize. It is recommended that you verify the URL of the website you are using before trying to download or enter. At the same time, do not click on unknown links, and try to download through official websites or official media platforms to avoid being phished.