Phishing scammer stalks Hedera users, addresses poison earns $70,000 – Cointelegraph Magazine
4 months ago Benito Santiago
Crypto-Sec is a bi-weekly collection of crypto and cyber security stories and tips.
Table of Contents
ToggleBiggest Phishing of the Week: Attacker Targets Hacker Users
On June 26, Hedera's marketing email was hacked, with the attacker sending phishing emails to the group's subscribers. Hedera is the developer of Hedera Hashgraph, launched in 2018.
In a post to X, the group acknowledged the hack and warned users not to click on any links in marketing@hedera emails.
The marketing@hedera email has been compromised. Do not open any emails or links from this address. We will provide more details soon.
— Hedera (@hedera) June 26, 2024
Phishing is a technique in which an attacker pretends to be a trusted source and convinces the user to provide information or perform an action the attacker wants. In this case, the attacker used a hacked header email to impersonate a representative of the development team.
The group has not yet revealed what was in the phishing emails. However, most crypto-phishing emails offer an interesting reward, such as a token token, if the user clicks on a link to navigate to the attacker's fake website, which often appears to be from a trusted source. When the user connects to the website with their wallet, they will be asked to provide token approvals to receive the airdrop.
However, these authentications allow the attacker to extract the user's wallet instead of allowing the user to access the airdrop. Users should be more careful when clicking on links in emails, even if the emails are from trusted sources. As Hedera's example shows, even trusted email addresses can be hacked or hacked.
Hedera's team promises to provide more details soon. Cointelegraph was unable to determine how much crypto, if any, was lost as a result of phishing emails at the time of publication.
White Hat Corner: Fixed a MoveIt file transfer vulnerability.
Security researchers have discovered a critical vulnerability in Progress's MoveIt file transfer software, according to a release from the software's development team. However, the vulnerability has been fixed in the current version.
Some large businesses use MoveIt Transfer to transfer files between employees. These files may contain customer data, private keys, or other confidential information. According to a report by cyber security firm Vatower Labs, the vulnerability allowed an attacker to impersonate any user on an enterprise network as long as they knew the username.
In order to carry out the attack, the hacker had to provide a username to the server. In response, the server requests the user's private key. But instead of generating the actual key (which the attacker may not know), they can provide a file path that contains a fake key they've generated themselves.
The MoveIt software creates an empty string as a public key due to exceptions in the way it handles this state. As a result, the verification seems to have failed. However, even though the authentication returns an error message and appears to fail, the critical “statuscode” variable used to block invalid users treats the attacker as if they authenticated correctly.
Also read
Main characteristics
Crypto-Sec: $11M Bittensor phish, UwU Lend and Curve fake news, $22M Lykke Hack
Main characteristics
‘Crypto Is Inevitable' So We're Going ‘All In': Meet Vance Spencer, Permabul
As a result, the attacker can access any files that the real user has access to, allowing them to access sensitive client or customer data.
In the year A June 25 update fixed the vulnerability. However, some businesses may not have upgraded to the latest version yet. According to the developer, “We strongly urge all MOVEit Transfer customers on versions 2023.0, 2023.1 and 2024.0 to upgrade to the latest patched version immediately.
The company said MoveIt Cloud was not affected by the vulnerability because it had already been patched.
Address poisoning attack
A blockchain security firm suffered a major address poisoning attack on June 28. The victim lost more than $70,000 worth of USDT.
The attack began on June 25, when the victim transferred 10,000 USDT to a Binance deposit address starting with “0xFd0C0318” and ending with “1630C11B”.
Soon after, the attacker sent 10,000 fake USDT from the victim's account to an account controlled by the attacker. This transfer was not authorized by the victim but was successful because the fake token had a malicious transfer function.
The addresses to which these fake tokens were sent ended with “0xFd0Cc46B” and “6430c11B”, containing the same first six and last four characters of the victim's Binance deposit address. The attacker may have used a vanity address generator to create this same address.
Two days later, on June 27, the victim sent 70,000 USDT to this malicious address. The victim probably cut and pasted the address from their transaction history with the intention of depositing the funds into Binance. However, Binance did not accept the money, and now they are in the hands of the attacker.
The Tether development team can bind wallet addresses that hold USDT. However, they generally stop an address only after a request from law enforcement. At the time of publication, this wallet still holds USDT and has not yet been exchanged for other tokens, so a freeze has already occurred. If the address hasn't been blocked yet, there's still time to file a complaint, and the victim can still get their money back.
However, the attacker may exchange the USDT for Ether or other cryptocurrencies before the address freezes, in which case the funds will be more difficult to recover.
Crypto users should be aware that some wallet applications upload transaction history directly from the blockchain. As a result, they sometimes show transactions from the user when they are, in fact, from a third party. Users are advised to verify all characters of the address before sending a transaction, not just the first and last characters.
Unfortunately for this user, they may have learned this lesson at a high price as they could be $70,000 poorer because of this mistake.
centralized exchanges
On June 22, Istanbul-based crypto exchange BtcTurk was exploited with a stolen private key. The exchange acknowledged the attack the next day. According to Google's translation, the statement reads in part: “Dear User, On June 22, 2024, our teams discovered a cyber attack on the platform that is out of control. [losses] must be taken.”
The exchange stated that the attack only happened on hot wallets and that most of the assets were safe. It also said it had sufficient “financial strength” to reimburse consumers for losses and that customer balances would not be affected.
Cyber security firm Halborn lost more than $55 million to BtcTurk in the attack.
According to onchain sleuth ZackXBT, the attacker may have deposited 1.96 million AVAX ($54.2 million) into the central exchange Coinbase, Binance and Gate, which was later exchanged for Bitcoin. AVAX has been transferred.
AVAX fell by 10%, apparently due to these changes.
Centralized exchanges are reported to and from the depository. Source: (ZachXBT, Telegram)
After the attack, BtcTurk launched new fresh wallets with private keys not under the control of the attacker. The exchange strongly urges users not to use old deposit addresses, as any funds sent to them could be stolen by an attacker. Instead, users must log in using new addresses available in the app's interface.
Subscribe
A very engaging read in Blockchain. It is given once a week.
Christopher Roark
Some say he's a white hat hacker who lives in the dark mining hills of the Dakotas and pretends to be a child crossing guard to throw the NSA off the hook. All we know is that Christopher Roark has a pathological interest in hunting down fraudsters and hackers.
