foreword

first level title

forewordLittle A recently received a text message about an exchange event, so Little A entered "xx Wallet Official" in the browser, clicked on the top link, downloaded the App-created a wallet-transferred assets, all in one go. After a while, Xiao A received a notification that the transfer was successful, and the balance in his wallet App - ERC20-USDT worth 10 million US dollars - was reduced to zero. Little A later realized that the app was fake and downloaded the phishing app by himself., one can imagine how surprising the stolen loss would be to this day as time goes by.

analyze

first level title

1、MetaMaskanalyze

Today we analyze from the big data side how many fake wallets there are.

It is currently the world's largest browser plug-in wallet. In April 2021, ConsenSys, the parent company of MetaMask, stated that the number of monthly active users of the MetaMask wallet exceeded 5 million, a five-fold increase in six months. 4 times, the number of users exceeds 80 million.

Such a large number of users of MetaMask is naturally the first target of black production. Let's take a look at how many counterfeit MetaMask there are:

First, search through a professional browser:

The search results show that there are 20,000+ related results, and 98% of the IP/domain names are fake links.

Further tracking, such as finding MetaMask Download:

At first glance, they are all phishing websites, and anyone who is familiar with security should know that ports and services such as 888/HTTP and 8888/HTTP are the default configurations of the pagoda system, and the simple and easy-to-deploy attributes of the pagoda have led to a large number of black and gray products using . The above related IP/domain names are all false and fraudulent links to induce users to visit and download.

Let's go a step further and look at something interesting.

First search: MetaMask authorization management (the management background of Heihui production phishing)

2、imTokenThese are all domain names related to the background management of black production. We also shuttled the domain names together. Some of the captured domain names and related resolution times are displayed as follows:

TokenPocketVue+PHP environment, the deployment method is as follows:

Authorization management is the same way:

Authorization management:

Fishing background:

Background-related service industry chain:

3. After obtaining relevant victim information in the background, the attacker operates through the withdrawal API interface:

Let's take a look at the code:

It involves JS, configuration JS, and transfer JS of basic Web services.

Look at this article again: var _0xodo='jsjiami.com.v6', I have to say that the Heihui production has surpassed most regular Web sites, and they are already implementing JS full encryption technology."dev-master"Configuration:

Here sc0vu/web3.php:

is a php interface system for interacting with the Ethereum and blockchain ecosystems.

After the analysis, it was found that after the attacker obtained the private key and other relevant information, he transferred the relevant stolen assets through api.html calls. I won't repeat them here.

You thought this was the end?

Do you think their goal is just a phishing website that forges MetaMask, imToken, TokenPocket and other wallets?

In fact, in addition to forging these well-known wallets on the market, they also forged and built related trading platforms for phishing. Let’s take a look:

For example, under this IP, we found that in addition to phishing pages and background information, there are other information:

Fake trading platform phishing sites, and there are more than one:

Cryptocurrency phishing platform built with Laravel framework:

A phishing site imitating the FTX platform built using the ThinkPHP framework:

Let’s take a look at the SaaS version of the phishing scam template sold directly online:

The scammer platform supports most of the mainstream wallets (the wallets here are also forged by them)

The classification is clear and the functions are complete, and the advanced and professional degree of black and gray production has far exceeded imagination.

Summarize

first level title