Fake Wallet Panoramic Tracking: Deeply Revealing the Fake Wallet Fishing Industry Chain

foreword

Xiao A recently received a text message about the exchange’s activity, so Xiao A entered “xx wallet official” in the browser, clicked on the link at the top, downloaded the App – created a wallet – transferred assets, and completed it in one go. After a while, Xiao A received a notification that the transfer was successful, and the balance in his wallet app – ERC20-USDT worth 10 million US dollars – was reduced to zero. Little A realized later that this app was fake and downloaded it to the fishing app by himself.

On November 24 last year, SlowMist released an analysis report on the black production of fake wallets- SlowMist: Fake wallet apps have been stolen by tens of thousands of people, and the loss is as high as 1.3 billion US dollars . It is conceivable that with the passage of time , how surprising the stolen losses would be to this day.

analyze

Today we analyze from the big data side how many fake wallets there are.

1. MetaMask is currently the world’s largest browser plug-in wallet. In April 2021, ConsenSys, the parent company of MetaMask, said that the monthly active users of the MetaMask wallet exceeded 5 million, an increase of 5 times in 6 months, and in 2020, MetaMask officials also announced that its monthly active users have increased year-on-year compared to 2019. 4 times, and the number of users exceeds 80 million.

Such a large number of users of MetaMask is naturally the first target of black production, let’s take a look at how many fake MetaMask:

First, search through a professional browser:

The search results showed 20,000+ related results, of which 98% of the IP/domain names were fake and scam links.

Follow up further, such as finding MetaMask Download:

At first glance, they are all phishing websites, and those who are familiar with security should know that ports and services such as 888/HTTP and 8888/HTTP are the default configurations of the pagoda system, and the simple and easy-to-deploy properties of pagoda have led to a large number of black and gray products being used. . The above related IP/domain names are all fake and fraudulent links that induce users to visit and download.

Let’s take a closer look at something interesting.

First search: MetaMask authorization management (the management background of black gray production fishing)

These are all domain names related to the black production management background. We also shuttle the domain names together. Some of the captured domain names and related resolution times are shown as follows:

Vue+PHP environment, the deployment method is as follows:

2. The imToken authorization management is the same way:

TokenPocket authorization management:

Fishing background:

Background related service industry chain:

3. After obtaining the relevant victim information in the background, the attacker operates through the withdrawal API interface:

Let’s take a look at the code:

It involves JS for basic web services, configuration JS, and transfer JS.

Look at this again: var _0xodo=’jsjiami.com.v6′, I have to say that Black Ash has surpassed most regular Web sites, and people are already implementing JS full encryption technology.

Configuration:

Here sc0vu/web3.php: “dev-master” is the php interface system for interacting with Ethereum and the blockchain ecosystem.

After analysis, it was found that after the attacker obtained the private key and other related information, he transferred the related stolen assets by calling api.html. It will not be repeated here.

Do you think this is the end?

Do you think their target is just a phishing website that fakes wallets like MetaMask, imToken, TokenPocket, etc.?

In fact, in addition to forging these well-known wallets on the market, they also forged and built relevant trading platforms for fishing. Let’s take a look:

For example, under this IP, we found that in addition to the phishing page and the background, there are other information:

Fake trading platform phishing site, and there are more than one:

A cryptocurrency phishing platform built with the Laravel framework:

A fake FTX platform phishing site built with the ThinkPHP framework:

Let’s take a look at the phishing scam templates sold directly online by the SaaS version:

The scammer platform supports most mainstream wallets (the wallets here are also faked by them)

The industry chain of phishing scams for cryptocurrencies and NFTs is very complete, professional SaaS services, rapid deployment, and immediate online. 

Further investigation found the relevant background management system, as shown in the figure below is the cloud desktop management background, which is used to control the relevant information of the trading platform:

The classification is clear and the functions are complete, and the advanced and professional degree of black and gray products has far exceeded imagination.

Summarize

This article mainly analyzes the panorama of fraudulent wallets from technical means. Wallet phishing websites emerge in an endless stream, and the production cost is very low. A professional industrial chain has been formed. These scammers usually directly use some tools to copy well-known wallet project websites and deceive them. The user enters the private key mnemonic or induces the user to authorize. It is recommended that you verify the URL of the website you are using before attempting to download or enter it. At the same time, do not click on unknown links, try to download through official webpages or official media platforms to avoid being phished.