Hunting Huobi, MyEtherWallet, and Blockchain.info Scams
Huobi-related scams aren’t seen very often, but they’re still just as dangerous as every other scam.
I recently discovered an airdrop site for Huobi that used a different MyEtherWallet phishing kit to what I am used to finding.
It asked for a public address and checked to see if you have Huobi Airdrop tokens (which are actually fake tokens related to another Huobi scam, below). If you enter an address that doesn’t have the tokens required, you can still find the phishkit in the server response.
When you input your public address, it requests their server and returns a new HTML document — a HuobiGlobal phishing site that also brings up a fake MyEtherWallet. This HTML document contains a link to a
PHP script that caught my attention.
This MyEtherWallet kit stores your private key into a
Cookie and hits another
If you input your private key, it would be accessed, and you would lose your funds.
Since I haven’t come across that many Huobi phishing/scam domains, I decided to look for more. I came across an ERC20 token that was advertising a website that was airdropped to ~20,000 Ethereum addresses.
With some capital, this is a method to advertise in the blockchain space.
If we look at the address funding the transactions (via 19 proxy addresses (i.e.:
0x0b88a083dc7b8ac2a84eba02e4acb2e5f2d3063c) and contract creation from
0x15ccc4ab2cfdb27fc4818bf481f7ed0352d8c6b3, we can see that the bad actor has:
- Created 18 contracts between block 6,708,041 and 7,249,374
- All but 1 contract address advertises
huobiairdrop.com— the other is just a test.
- 62,132 addresses were sent a token that advertises
Here’s a dump of contract addresses that were created by
0x15cc...c6b3 and advertising
huobiairdrop.com as of block 7,362,119.
Here’s a dump of proxy addresses used to airdrop the tokens — all funded from the
0x15cc...c6b3 address — all these proxy addresses hold similar values (after being funded with 5 ETH and sending x transactions) so assuming this is all scripted.
Looking at huobiairdrop.com
TL;DR: It gets you to install a browser extension which injects malicious scripts into MyEtherWallet.com and Blockchain.com by hijacking the CSP headers and network requests.
So, I loaded up a VM and hit the domain and I saw a legitimate looking Google Alert view that had me confused — I didn’t know Google detected Cryptojacking like this…
I decided to enable MetaMask and they changed the view to fake a MetaMask warning — something I know MetaMask doesn’t warn against.
Anyway, I decided to view the source and saw that it was linking me to a Google Chrome Browser Extension — extension ID:
coigcglbjbcoklkkfnombicaacmkphcm (NoCoin — Block Coin Miners)
I thought this was very weird — Google AND MetaMask “referring” users to this Browser extension. I decided to investigate.
Looking into “NoCoin — Block Coin Miners”
I decided to launch a fresh VM (since I didn’t know what it would do and I came from an untrusted/suspicious source) and investigate.
From the start, it looked like it did what it should — it was detected various CryptoJacking scripts (CoinHive, MinerAlt, WebminerPool) and there was a nice UI to let me know it was doing its job.
I thought there had to be more to it since my suspicious user-journey to install it.
I looked into the source of it and noticed two things:
- It monitors/hijacks all web requests by attaching an EventListener to
- Depending on the network activity, it would construct a domain on the
.topTLD (known to host a lot of spam according to SPAMHAUS)
This seemed weird because it looked like this code was out of the scope of detecting CryptoJacking. I decided to debug this.
First, I wanted to know what the EventListener was doing for
onHeadersReceived because it was overwriting the
I decided to modify the code so it would execute the logic on every request.
Yikes! Ok, so it overwrites the CSP so it can “safely” inject code from untrusted sources… seems very out-of-scope for a CryptoJacking detection extension.
Now, let’s see what it does with the
onBeforeRequest EventListener. It checks to see if the URL is equal to a specific hash, then tells Chrome to load a separate resource by using
But this logic only runs if the URL hash is one of 2 — but what are these hashes?
echo -n blockchain.com | md5sum
425d95e3b753c1afb3871c66a858a4c9echo -n myetherwallet.com | md5sum
Ok, so it hijacks requests for things on
Here’s a list of domains that the extension hits that are in control of the bad actor
Looking at MyEtherWallet.com
So now we know
myetherwallet.com is a target, and it hijacks the CSP policy to inject foreign resources, let’s see what it does.
Since the code is looking for
chunk substring in the resource, the main target is the
vintage.myetherwallet.com domain to overwrite the
We can take a look at it by not allowing the CSP hijack.
So, now we know the main JS is being replaced by the malicious browser extension, let’s input our private key and see where they send it off to.
And that’s it, our private key has been sent to the bad actors.
Note that since the CSP has been hijacked, we get no notices about trying to load foreign resources and to the user, the software works as intended and the EV cert is fully intact. What’s even clever is that the browser extension does what it was advertised to do, so it could go unnoticed to the non-paranoid user for some time.
Looking at Blockchain.com
We also know that
blockchain.com is a target, so let’s modify the script to now hijack the CSP and see what it’s trying to load.
We can see that it’s trying to load malicious versions of;
app.46d4854459.js within the login logic.
What can I do to stay safe?
We have to be careful on what we do. The duty is on you to ensure your maximum safety and security. Timeo Danaos et dona ferentes.
- Never install a browser extension that has the ability to modify the DOM that you/trusted source has not audited.
- Don’t blindly trust legitimate looking warnings to get you to install software (MetaMask warnings will always have their browser extension in the URL bar (like the phishing warning))
- Never enter your secrets online — always use an offline signing mechanism (i.e: Ledger Wallet, TREZOR, or Parity Signer)
The domains that are part of this campaign have been listed on EtherScamDB;