August 9, 2020

About fraudulent schemes targeting Huobi, MyEtherWallet, and users

Malicious extensions or pages related to Huobi, although not very common, are not dangerous less than any other fraudulent schemes. I recently discovered a site with an airdrop for Huobi that used a different phishing kit for MyEtherWallet, which was already familiar to me. The site checked by entering the public address if there were any Huobi Airdrop tokens at this address (which are actually fake tokens associated with other fraud). If you enter an address on which there are no necessary tokens, the server will still return a response with phishing components.

When you enter your public address, serveran attacker returns a new HTML document, a HuobiGlobal phishing site with a fake MyEtherWallet. This HTML document contains a link to a PHP script that has attracted my attention.

The redir.php script is a malicious set of components for MyEtherWallet designed to steal your keys.

This script saves your private key in a cookie and runs another PHP script.

A network request that stores a private key in a cookie and sends it to postback.php

If you enter your secret key, it will become available to attackers, and you will lose your money.

* * *

Since I have not met a large numberHuobi phishing / fraud domains, I decided to search more. I came across an ERC20 token advertising an airdrop website in which ~ 20,000 Ethereum addresses took part.

With sufficient capital, this is used as a way to advance in the blockchain sphere.

Website Token

If you look at the address financingtransactions (through 19 proxy addresses, i.e.: 0x0b88a083dc7b8ac2a84eba02e4acb2e5f2d3063c) and creating a contract from the address 0x15ccc4ab2cfdb27fc4818bf481f7ed0352d8c6b3, you can see that the attacker:

  • created 18 contracts between blocks 6 708 041 and 7 249 374;
  • all but one of the contracts advertise; the exception is just a test contract;
  • advertising token was sent to 62,132 addresses.

Here is a dump of the created 0x15cc ... c6b3 addresses of contracts with ads as of block 7362119:

















And here is a dump of proxy addresses used forairdrop of tokens - all of them were funded from address 0x15cc ... c6b3 and the same amounts were stored on all proxy addresses (after financing in the amount of 5 ETH and sending x transactions), therefore, we can assume that they are all related to the described scenario.





















Looking for

Summary (if many letters): The site offers to install a browser extension that, capturing CSP headers and network requests, adds malicious scripts to and pages.

So, I booted the virtual machine, went toI saw a domain similar to a real Google warning, which, however, confused me a little - I did not know that Google was detecting such crypto jacking ...

Fake cryptocurrency warning

I tried turning on MetaMask, and the notification changed the look to a fake MetaMask warning, even though I know that MetaMask does not warn about crypto jacking.

Fake MetaMask Warning

One way or another, I decided to look at the source, and saw that it was related to the extension for Google Chrome; Extension ID: coigcglbjbcoklkkfnombicaacmkphcm (NoCoin - Block Coin Miners)

As of the beginning of March, when I conducted my experiment, this malicious extension had 230 users

I thought that the links to this extension from the Google and MetaMask warning pages look very strange, and decided to investigate this issue in more detail.

Looking at “NoCoin - Block Coin Miners”

I started a new virtual machine (because I did not know what the extension would do, besides, I switched from an untrusted / suspicious source).

At first, the extension seemed to do exactlywhat is claimed - it detects various crypto-jacking scripts (CoinHive, MinerAlt, WebminerPool) and reports on the results through a clear user interface.

Judging by the UI, the extension does its job properly

I believed that the activity of the extension is unlikely to be limited to this, given how suspiciously I went to it.

Looking into the source code, I noticed two things:

  • the extension monitors and captures all web requests, attaching an EventListener to onBeforeRequest and onHeadersReceived;
  • depending on network activity, it built a domain on .top (a top-level domain known for a lot of spam, according to Spamhaus).

This confirmed my impression that the function of the extension code is beyond the scope of crypto-jacking detection, and I decided to try experimenting with this code.

First, I wanted to know what EventListener was doing for onHeadersReceived because it was overwriting the value of Content-Security-Policy.

The logic used to change the CSP for specific requests

I decided to modify the code so that it reproduces this logic with every request.

It turned out that the extension overwrites CSP in order to be able to "safely" embed code from unverified sources.

Now let's see what EventListener does with onBeforeRequest. It checks if the URL is equal to a specific hash, and then tells the browser to load a separate resource using redirectUrl.

The logic used to load external resources through redirectUrl

However, this logic only executes if the URL hash has one of two values, but what are these hashes?

echo -n | md5sum


echo -n | md5sum


Ok, it means the extension captures requests to the domains and

Here is a list of domains controlled by an attacker:

Looking at

So, now we know that the target is and that the extension modifies the CSP policy to substitute input requests for external resource addresses. Let's see what it does.

Since the code looks for the substring master or chunk in the resource, the main target is the domain to overwrite the etherwallet-master.js file.

We can take a look at this without allowing CSP capture.

So, now that we know that a malicious extension is replacing the main JS, let's enter our secret key and see where it sends it.

The script sends the secret key to another PHP script as part of the query string

Here it is, our secret key was sent to attackers.

Please note that since CSP wascaptured, we do not receive any notifications about an attempt to download external resources, and from the point of view of the user, the extension works as intended, and the EV certificate remains untouched. The fact that the extension at the same time fulfills its claimed function of detecting crypto-jacking is also a rather smart decision, since its unwanted activity will go unnoticed by non-paranoid users for some time.

Looking at

We know that is another target, so let's modify the script a bit to capture the CSP and see what it tries to load.

We see that the extension is trying to download malicious versions of manifest.1550618679966.js, vendor.b18ffdf080.js and app.46d4854459.js as part of the login logic of the account.

What can be done to protect yourself?

You need to behave consciously and carefully. The responsibility for our safety lies with us. Fear Danians bringing gifts.

  • Never install extensions that may change the DOM to an unverified by you or a trusted source.
  • Do not blindly trust warnings aboutsecurity offering to install some software; in MetaMask warnings (for example, about phishing), the extension address will always be displayed in the address bar of the browser.
  • Never enter your private keys online - always use offline signature mechanisms (for example, Ledger Wallet, TREZOR or Parity Signer).

The domains involved in the campaign described in this article are listed on Ether scatDB:


They have also been blacklisted on MetaMask and EtherAddressLookup to protect you from visiting them.