Hunting Huobi, MyEtherWallet, and Blockchain.info Scams

Huobi-related scams aren’t seen very often, but they’re still just as dangerous as every other scam.

Harry
Harry
Mar 14, 2019 · 6 min read

I recently discovered an airdrop site for Huobi that used a different MyEtherWallet phishing kit to what I am used to finding.

It asked for a public address and checked to see if you have Huobi Airdrop tokens (which are actually fake tokens related to another Huobi scam, below). If you enter an address that doesn’t have the tokens required, you can still find the phishkit in the server response.

When you input your public address, it requests their server and returns a new HTML document — a HuobiGlobal phishing site that also brings up a fake MyEtherWallet. This HTML document contains a link to a PHP script that caught my attention.

This MyEtherWallet kit stores your private key into a Cookie and hits another PHP script.

If you input your private key, it would be accessed, and you would lose your funds.


Since I haven’t come across that many Huobi phishing/scam domains, I decided to look for more. I came across an ERC20 token that was advertising a website that was airdropped to ~20,000 Ethereum addresses.

With some capital, this is a method to advertise in the blockchain space.

If we look at the address funding the transactions (via 19 proxy addresses (i.e.: 0x0b88a083dc7b8ac2a84eba02e4acb2e5f2d3063c) and contract creation from 0x15ccc4ab2cfdb27fc4818bf481f7ed0352d8c6b3, we can see that the bad actor has:

  • Created 18 contracts between block 6,708,041 and 7,249,374
  • All but 1 contract address advertises huobiairdrop.com — the other is just a test.
  • 62,132 addresses were sent a token that advertises huobiairdrop.com

Here’s a dump of contract addresses that were created by 0x15cc...c6b3 and advertising huobiairdrop.com as of block 7,362,119.

Here’s a dump of proxy addresses used to airdrop the tokens — all funded from the 0x15cc...c6b3 address — all these proxy addresses hold similar values (after being funded with 5 ETH and sending x transactions) so assuming this is all scripted.

Looking at huobiairdrop.com

TL;DR: It gets you to install a browser extension which injects malicious scripts into MyEtherWallet.com and Blockchain.com by hijacking the CSP headers and network requests.

So, I loaded up a VM and hit the domain and I saw a legitimate looking Google Alert view that had me confused — I didn’t know Google detected Cryptojacking like this…

I decided to enable MetaMask and they changed the view to fake a MetaMask warning — something I know MetaMask doesn’t warn against.

Anyway, I decided to view the source and saw that it was linking me to a Google Chrome Browser Extension — extension ID:coigcglbjbcoklkkfnombicaacmkphcm (NoCoin — Block Coin Miners)

I thought this was very weird — Google AND MetaMask “referring” users to this Browser extension. I decided to investigate.

Looking into “NoCoin — Block Coin Miners”

I decided to launch a fresh VM (since I didn’t know what it would do and I came from an untrusted/suspicious source) and investigate.

From the start, it looked like it did what it should — it was detected various CryptoJacking scripts (CoinHive, MinerAlt, WebminerPool) and there was a nice UI to let me know it was doing its job.

I thought there had to be more to it since my suspicious user-journey to install it.

I looked into the source of it and noticed two things:

  • It monitors/hijacks all web requests by attaching an EventListener to onBeforeRequest and onHeadersReceived
  • Depending on the network activity, it would construct a domain on the .top TLD (known to host a lot of spam according to SPAMHAUS)

This seemed weird because it looked like this code was out of the scope of detecting CryptoJacking. I decided to debug this.

First, I wanted to know what the EventListener was doing for onHeadersReceived because it was overwriting the Content-Security-Policy value.

I decided to modify the code so it would execute the logic on every request.

Yikes! Ok, so it overwrites the CSP so it can “safely” inject code from untrusted sources… seems very out-of-scope for a CryptoJacking detection extension.

Now, let’s see what it does with the onBeforeRequest EventListener. It checks to see if the URL is equal to a specific hash, then tells Chrome to load a separate resource by using redirectUrl

But this logic only runs if the URL hash is one of 2 — but what are these hashes?

Ok, so it hijacks requests for things on blockchain.com and myetherwallet.com domains.

Here’s a list of domains that the extension hits that are in control of the bad actor

Looking at MyEtherWallet.com

So now we know myetherwallet.com is a target, and it hijacks the CSP policy to inject foreign resources, let’s see what it does.

Since the code is looking for master or chunk substring in the resource, the main target is the vintage.myetherwallet.com domain to overwrite the etherwallet-master.js file.

We can take a look at it by not allowing the CSP hijack.

So, now we know the main JS is being replaced by the malicious browser extension, let’s input our private key and see where they send it off to.

And that’s it, our private key has been sent to the bad actors.

Note that since the CSP has been hijacked, we get no notices about trying to load foreign resources and to the user, the software works as intended and the EV cert is fully intact. What’s even clever is that the browser extension does what it was advertised to do, so it could go unnoticed to the non-paranoid user for some time.

Looking at Blockchain.com

We also know that blockchain.com is a target, so let’s modify the script to now hijack the CSP and see what it’s trying to load.

We can see that it’s trying to load malicious versions of; manifest.1550618679966.js , vendor.b18ffdf080.js , app.46d4854459.js within the login logic.

What can I do to stay safe?

We have to be careful on what we do. The duty is on you to ensure your maximum safety and security. Timeo Danaos et dona ferentes.

  • Never install a browser extension that has the ability to modify the DOM that you/trusted source has not audited.
  • Don’t blindly trust legitimate looking warnings to get you to install software (MetaMask warnings will always have their browser extension in the URL bar (like the phishing warning))
  • Never enter your secrets online — always use an offline signing mechanism (i.e: Ledger Wallet, TREZOR, or Parity Signer)

The domains that are part of this campaign have been listed on EtherScamDB;

They have been blacklisted on MetaMask and EtherAddressLookup to prevent you from visiting them.

-Harry

MyCrypto

The Official MyCrypto Blog

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store