Fake Wallet Panoramic Tracking: Deeply Revealing the Fake Wallet Fishing Industry Chain

foreword

Xiao A recently received a text message about the exchange’s activity, so Xiao A entered “xx wallet official” in the browser, clicked on the link at the top, downloaded the App – created a wallet – transferred assets, and completed it in one go. After a while, Xiao A received a notification that the transfer was successful, and the balance in his wallet app – ERC20-USDT worth 10 million US dollars – was reduced to zero. Little A realized later that this app was fake and downloaded it to the fishing app by himself.

On November 24 last year, SlowMist released an analysis report on the black production of fake wallets- SlowMist: Fake wallet apps have been stolen by tens of thousands of people, and the loss is as high as 1.3 billion US dollars . It is conceivable that with the passage of time , how surprising the stolen losses would be to this day.

analyze

Today we analyze from the big data side how many fake wallets there are.

1. MetaMask is currently the world’s largest browser plug-in wallet. In April 2021, ConsenSys, the parent company of MetaMask, said that the monthly active users of the MetaMask wallet exceeded 5 million, an increase of 5 times in 6 months, and in 2020, MetaMask officials also announced that its monthly active users have increased year-on-year compared to 2019. 4 times, and the number of users exceeds 80 million.

Such a large number of users of MetaMask is naturally the first target of black production, let’s take a look at how many fake MetaMask:

First, search through a professional browser:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

The search results showed 20,000+ related results, of which 98% of the IP/domain names were fake and scam links.

Follow up further, such as finding MetaMask Download:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

At first glance, they are all phishing websites, and those who are familiar with security should know that ports and services such as 888/HTTP and 8888/HTTP are the default configurations of the pagoda system, and the simple and easy-to-deploy properties of pagoda have led to a large number of black and gray products being used. . The above related IP/domain names are all fake and fraudulent links that induce users to visit and download.

Let’s take a closer look at something interesting.

First search: MetaMask authorization management (the management background of black gray production fishing)

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

These are all domain names related to the black production management background. We also shuttle the domain names together. Some of the captured domain names and related resolution times are shown as follows:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Vue+PHP environment, the deployment method is as follows:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

2. The imToken authorization management is the same way:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

TokenPocket authorization management:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Fishing background:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Background related service industry chain:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

3. After obtaining the relevant victim information in the background, the attacker operates through the withdrawal API interface:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Let’s take a look at the code:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

It involves JS for basic web services, configuration JS, and transfer JS.

Look at this again: var _0xodo=’jsjiami.com.v6′, I have to say that Black Ash has surpassed most regular Web sites, and people are already implementing JS full encryption technology.

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Configuration:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Here sc0vu/web3.php: “dev-master” is the php interface system for interacting with Ethereum and the blockchain ecosystem.

After analysis, it was found that after the attacker obtained the private key and other related information, he transferred the related stolen assets by calling api.html. It will not be repeated here.

Do you think this is the end?

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Do you think their target is just a phishing website that fakes wallets like MetaMask, imToken, TokenPocket, etc.?

In fact, in addition to forging these well-known wallets on the market, they also forged and built relevant trading platforms for fishing. Let’s take a look:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

For example, under this IP, we found that in addition to the phishing page and the background, there are other information:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Fake trading platform phishing site, and there are more than one:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

A cryptocurrency phishing platform built with the Laravel framework:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

A fake FTX platform phishing site built with the ThinkPHP framework:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Let’s take a look at the phishing scam templates sold directly online by the SaaS version:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

The scammer platform supports most mainstream wallets (the wallets here are also faked by them)

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

The industry chain of phishing scams for cryptocurrencies and NFTs is very complete, professional SaaS services, rapid deployment, and immediate online. 

Further investigation found the relevant background management system, as shown in the figure below is the cloud desktop management background, which is used to control the relevant information of the trading platform:

Panoramic Tracking of Fake Wallets: Deeply Revealing the Fake Wallet Fishing Industry Chain

The classification is clear and the functions are complete, and the advanced and professional degree of black and gray products has far exceeded imagination.

Summarize

This article mainly analyzes the panorama of fraudulent wallets from technical means. Wallet phishing websites emerge in an endless stream, and the production cost is very low. A professional industrial chain has been formed. These scammers usually directly use some tools to copy well-known wallet project websites and deceive them. The user enters the private key mnemonic or induces the user to authorize. It is recommended that you verify the URL of the website you are using before attempting to download or enter it. At the same time, do not click on unknown links, try to download through official webpages or official media platforms to avoid being phished.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/fake-wallet-panoramic-tracking-deeply-revealing-the-fake-wallet-fishing-industry-chain/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-06-22 09:59
Next 2022-06-22 10:00

Related articles