Ethereum Phishing Attack Nets Criminals 15K in Two Hours

As the price of bitcoins continues to soar, there is a lot of interest in other cryptocurrencies that have built upon and integrated new features that are not available in bitcoins. Once such currency is called Ethereum, which at the time of this writing has a market price of $296 USD. Unfortunately, when something becomes popular and valuable, someone ultimately comes along to spoil the fun by trying to scam people for their own profit.

This is exactly what was discovered by security researcher Wesley Neelen when a phishing scam for the Ethereum cryptocurrency landed in his inbox. According to Nellen, he received a phishing email that pretended to be from the legitimate online Ethereum wallet site Myetherwallet.com.

This scam, which is shown below, states that Myetherwallet implemented an update for an “upcoming hard fork” and that they require people to click on an enclosed link, unlock their account, and confirm their balances.

If someone clicked on the link they would be brought to a site that looked identical to the legitimate Myetherwallet.com site. Observant visitors, may have noticed something strange, though, which is a small comma underneath the t in the site’s address. You can see comma designated by the red arrow in the image below.

The phishers were able to do this because they used a Unicode trick that allows them to register domains that contain Unicode characters that look very similar to Latin characters.  This allows them to create very convincing sites that can pass of as the real thing to most visitors.

If someone entered their wallet password, the phishers would use this password to a victim’s wallet and transfer the coins to their own. While Neelen didn’t fall for this scam, when he analyzed the phishing site, he found that some people unfortunately did.

Not wise to try a phishing scam on a pentester

When the phishers sent Neelan the email, little did they know that they were targeting someone who does ethical hacking and computer penetration testing for a living. When Neelan received the scam, he decided to investigate the site and see if he could find any accessible logs or source code.

In the course of performing this investigation with one his colleagues named Rik van Duijn, they discovered a log file that contained a list of all of the wallets stolen by the scammers. When examining the log it was found that one stolen wallets had 42.5 Etherium in it. This is worth approximately $12,500 at the time of the attack. 

Also included were other wallets for a total of 52.56 ETH, or $15,875.65. These coins were then transfered out of the wallet to three other wallets owned by the scammers.

Overall, a very profitable 2 hours.