Malicious extensions or pages related to Huobi, although not very common, are not dangerous less than any other fraudulent schemes. I recently discovered a site with an airdrop for Huobi that used a different phishing kit for MyEtherWallet, which was already familiar to me. The site checked by entering the public address if there were any Huobi Airdrop tokens at this address (which are actually fake tokens associated with other fraud). If you enter an address on which there are no necessary tokens, the server will still return a response with phishing components.
When you enter your public address, serveran attacker returns a new HTML document, a HuobiGlobal phishing site with a fake MyEtherWallet. This HTML document contains a link to a PHP script that has attracted my attention.
This script saves your private key in a cookie and runs another PHP script.
If you enter your secret key, it will become available to attackers, and you will lose your money.
* * *
Since I have not met a large numberHuobi phishing / fraud domains, I decided to search more. I came across an ERC20 token advertising an airdrop website in which ~ 20,000 Ethereum addresses took part.
With sufficient capital, this is used as a way to advance in the blockchain sphere.
If you look at the address financingtransactions (through 19 proxy addresses, i.e.: 0x0b88a083dc7b8ac2a84eba02e4acb2e5f2d3063c) and creating a contract from the address 0x15ccc4ab2cfdb27fc4818bf481f7ed0352d8c6b3, you can see that the attacker:
- created 18 contracts between blocks 6 708 041 and 7 249 374;
- all but one of the contracts advertise huobiairdrop.com; the exception is just a test contract;
- huobiairdrop.com advertising token was sent to 62,132 addresses.
Here is a dump of the created 0x15cc ... c6b3 addresses of contracts with huobiairdrop.com ads as of block 7362119:
And here is a dump of proxy addresses used forairdrop of tokens - all of them were funded from address 0x15cc ... c6b3 and the same amounts were stored on all proxy addresses (after financing in the amount of 5 ETH and sending x transactions), therefore, we can assume that they are all related to the described scenario.
Looking for huobiairdrop.com
Summary (if many letters): The site offers to install a browser extension that, capturing CSP headers and network requests, adds malicious scripts to MyEtherWallet.com and Blockchain.com pages.
So, I booted the virtual machine, went toI saw a domain similar to a real Google warning, which, however, confused me a little - I did not know that Google was detecting such crypto jacking ...
I tried turning on MetaMask, and the notification changed the look to a fake MetaMask warning, even though I know that MetaMask does not warn about crypto jacking.
One way or another, I decided to look at the source, and saw that it was related to the extension for Google Chrome; Extension ID: coigcglbjbcoklkkfnombicaacmkphcm (NoCoin - Block Coin Miners)
I thought that the links to this extension from the Google and MetaMask warning pages look very strange, and decided to investigate this issue in more detail.
Looking at “NoCoin - Block Coin Miners”
I started a new virtual machine (because I did not know what the extension would do, besides, I switched from an untrusted / suspicious source).
At first, the extension seemed to do exactlywhat is claimed - it detects various crypto-jacking scripts (CoinHive, MinerAlt, WebminerPool) and reports on the results through a clear user interface.
I believed that the activity of the extension is unlikely to be limited to this, given how suspiciously I went to it.
Looking into the source code, I noticed two things:
- the extension monitors and captures all web requests, attaching an EventListener to onBeforeRequest and onHeadersReceived;
- depending on network activity, it built a domain on .top (a top-level domain known for a lot of spam, according to Spamhaus).
This confirmed my impression that the function of the extension code is beyond the scope of crypto-jacking detection, and I decided to try experimenting with this code.
First, I wanted to know what EventListener was doing for onHeadersReceived because it was overwriting the value of Content-Security-Policy.
I decided to modify the code so that it reproduces this logic with every request.
It turned out that the extension overwrites CSP in order to be able to "safely" embed code from unverified sources.
Now let's see what EventListener does with onBeforeRequest. It checks if the URL is equal to a specific hash, and then tells the browser to load a separate resource using redirectUrl.
However, this logic only executes if the URL hash has one of two values, but what are these hashes?
echo -n blockchain.com | md5sum
echo -n myetherwallet.com | md5sum
Ok, it means the extension captures requests to the domains blockchain.com and myetherwallet.com.
Here is a list of domains controlled by an attacker:
Looking at MyEtherWallet.com
So, now we know that the target is myetherwallet.com and that the extension modifies the CSP policy to substitute input requests for external resource addresses. Let's see what it does.
Since the code looks for the substring master or chunk in the resource, the main target is the domain vintage.myetherwallet.com to overwrite the etherwallet-master.js file.
We can take a look at this without allowing CSP capture.
So, now that we know that a malicious extension is replacing the main JS, let's enter our secret key and see where it sends it.
Here it is, our secret key was sent to attackers.
Please note that since CSP wascaptured, we do not receive any notifications about an attempt to download external resources, and from the point of view of the user, the extension works as intended, and the EV certificate remains untouched. The fact that the extension at the same time fulfills its claimed function of detecting crypto-jacking is also a rather smart decision, since its unwanted activity will go unnoticed by non-paranoid users for some time.
Looking at Blockchain.com
We know that blockchain.com is another target, so let's modify the script a bit to capture the CSP and see what it tries to load.
We see that the extension is trying to download malicious versions of manifest.1550618679966.js, vendor.b18ffdf080.js and app.46d4854459.js as part of the login logic of the account.
What can be done to protect yourself?
You need to behave consciously and carefully. The responsibility for our safety lies with us. Fear Danians bringing gifts.
- Never install extensions that may change the DOM to an unverified by you or a trusted source.
- Do not blindly trust warnings aboutsecurity offering to install some software; in MetaMask warnings (for example, about phishing), the extension address will always be displayed in the address bar of the browser.
- Never enter your private keys online - always use offline signature mechanisms (for example, Ledger Wallet, TREZOR or Parity Signer).
The domains involved in the campaign described in this article are listed on Ether scatDB:
They have also been blacklisted on MetaMask and EtherAddressLookup to protect you from visiting them.