Crypto Fraud: Phishing and Data Stealing Malware

In the world of cryptocurrencies, where security and anonymity are key, phishing and malware have become a common method of fraud.

These methods are used by criminals to steal personal data and access cryptocurrency wallets. Understanding how they work and being aware of security methods are important tools in the fight against cybercrime in the cryptocurrency space.

Phishing is a cyberattack in which scammers use fake emails, websites, or social media posts to trick users into obtaining their sensitive data, such as logins, passwords, and wallet access keys.

An attacker can choose one of many options to provide you with a phishing link:

Most often, users end up on sites masquerading as real services. If the deception is successful, the site prompts you to enter the login and password for the simulated service, the SEED phrase of the crypto wallet, or download a malicious file.

Phishing attacks pose a serious threat in the world of digital security, especially in the cryptocurrency space. The success of such an attack for an attacker means:

When you receive authorization from the service, if possible, the attackers take all your funds. If this requires any additional confirmation from you for withdrawal (SMS, authorization code), a fraudster may contact you under the guise of a technical support employee of this service and ask you to provide a confirmation code from your e-mail or Authenticator.

If attackers get your SEED phrase, they get full access to your funds. In some cases, they can steal funds immediately, in others, they can wait until the amount increases. There are situations when phishing operators do not check each SEED phrase they receive, but sell them in batches to other scammers.

If attackers get your SEED phrase, then nothing more is required from you. Funds can be stolen immediately or wait if there are too few of them there.

In a scenario where a phishing attack directs a user to a decoy site in order to convince them to download a file containing malware, the implementation complexity increases. This is explained by the need to bypass the user's antivirus programs and firewalls. Unfortunately, many users either do not use an antivirus at all, or set the firewall to the minimum level of protection, which plays into the hands of scammers. Adding to the risk is the habit of some users to download content from unreliable sources, such as torrents, which may contain hidden malware.

One particularly dangerous form of malware are so-called clippers. These programs work in an extremely clever way: when you copy a cryptocurrency address from the messenger to make a transaction, the clipper quietly replaces it with the scammer’s address in the clipboard. As a result, when you paste the address into the recipient field, you are unknowingly sending your funds not to the intended address, but straight to the scammer.

Another type of phishing is sites that collect your personal data. Then, using this information, scammers can try to gain your trust and convince you to take certain actions, such as confirming P2P transactions or withdrawing funds.

The attackers send a letter to the victim on behalf of the exchange. In this case, the attackers used complete spoofing of the sender. The goal is to convince the victim to confirm receipt of funds as part of a P2P transaction, before actually receiving the funds.

Along with the original solution, search results may also contain phishing resources. In some cases, attackers use contextual advertising to ensure that their phishing resource is located above the original solution.

The attackers quickly purchased domain metamask . ru, creating a website that exactly copied the design and text of the official MetaMask website. The only difference was the RU domain zone. This subtle difference has led to many users mistakenly using the fake site by entering their SEED phrases, thereby giving scammers access to their accounts.

Original MyEtherWallet address

Phishing site MyEtherWallet

To hide their fraud and not arouse suspicion among users, after receiving the SEED phrase, the attackers implemented a redirection function to the official solution.

SushiSwap is a popular decentralized exchange (DEX). Currently 12/26/2023 Sushi Swap does not have its own application in the AppStore.

A fraudulent application called “SushiSwap Finance”, developed by CD&W Trading Company Limited, was discovered in the AppStore. Despite the apparent reliability, due to a 4-star rating and a number of positive reviews, you should be extremely careful, since such reviews are often the result of manipulation and cheating. When using this application, users are asked to enter their SEED phrase, which leads to the inevitable loss of all funds stored in their crypto wallets.

If you are a victim of such fraud, it is important to: