The Trust-Trading Scam Kit

Before you read this, REMEMBER NOBODY IS GIVING AWAY FREE MONEY.

Harry
Harry
Dec 11, 2018 · 6 min read
don’t believe their lies

Recently I came across a server hosting around 60 trust-trading domains and the server was [incorrectly] configured so that if you navigated to the server IP on port 443 directly, it exposed the DirectoryIndex — lovely, another incompetent scamming sysadmin group.

After figuring this out, I noticed they had also left two .zip files on the server which were holding the Trust-Trading scam kits for each domain. So, I downloaded everything so we can examine it all locally.

A list of zip files within the directory — about 23MB of data

I then unzipped elon-share.info.zip and sites-11.jul.zip and examined the directories inside.

A list of directories contained in both of the zipped directories

Great! This is a lot of data — even if it’s just known and unknown domains that will be used for this type of scam.

Let’s do a quick grep on the known trust-trading fingerprint to find the bad actor addresses and get the unique ones — see addresses.txt contents.

harrydenley@DESKTOP-OFTSSLU: cat addresses.txt | cut -d " " -f2 | sort -n | uniq

Now that we have a dump of addresses, let’s dump the directories named after domains.

harrydenley@DESKTOP-OFTSSLU: ls -la | grep -E "\.(com|org|cc|gg|gift)$" | awk '{print $9}' | sort -g

Looking at the code (from sites-11-jul.zip)

Using ethplorer we can determine which Ethereum address was most effective (the most ETH value went through it), and then we can look at the code behind that specific campaign.

The most “successful” address for the bad actors was 0x1d7bc400d3c6d9d37ec54d0e729cbadd06dc0390 which had a total of 61.966ETH going through it. This address belongs to the elon-gift.com domain.

The code behind this campaign has 3 different campaigns on it — only one was Ethereum based, the others were Bitcoin based.

harrydenley@DESKTOP-OFTSSLU: grep "elon-gift.com" addresses.txt

The Bitcoin campaigns stole 2.27509273BTC — a quite successful campaign even at today’s prices ($9,601.12USD).

Having a look at the code running it, we can see they all have pretty much the same .htaccess file.

The .htaccess file contents
  • If the client is connecting without HTTPS, force them to use HTTPS with a RewriteRule (based on the RewriteCond ).
  • Turn off the option to browse the directory index (if index.html doesn’t exist — it does here, but it’s a nice to cover).
  • For some reason, make the DirectoryIndex be fancy with headings — even though this option is disabled on line 4.

Now, the site looks pretty familiar to what we are used to, but there is an added feature that turns users into victims by incorporating a familiar interface component found on etherscan.io — the comments section, with a pinned moderator comment (which is actually mimicking my profile on Etherscan DISQUS channel — I am a volunteer moderator there) as well as fake comments about everything being legitimate.

A screenshot displaying the typical design of these Trust-Trading sites
A screenshot of the fake DISQUS channel with a pinned comment from a moderator

The files are all the same in the kits, except for branding and the address to send funds to. Here’s an example of the files;

An example of the files found in these trust-trading kits

Looking at the code (from elon-share-info.zip)

This kit is a little different in terms of the files as it loads local images also — some of the images in the directory /index_files/ are totally unrelated to the scam kit which is very interesting.

The images found in /index_files/ directory

What’s interesting is the following:

  • 1__FB-MbhCP6dUlQVJalt8Cw.jpeg is Zat Rana (from StyleGuide)
  • 0_xWNCv9gALD3YGOwB.ong is a random mspaint? cartoon drawing
  • 0_nl3cCLoFQlkX2dwt.jpg is an unidentified guy wearing glasses looking to the left
  • 1_2HOTxT2gWf8GVaeYYG6TWQ.jpg is a profile shot of an unidentified guy

Let’s look at the server

The IP of the server we found this on is 162.144.47.96 — we’ve archived this on urlscan.

harrydenley@DESKTOP-OFTSSLU: whois 162.144.47.96

The server is hosted in Provo, United States, managed by AS46606 ( UNIFIEDLAYER-AS-1 — Unified Layer, US)

The server is running cPanel (cPanel Login and WHM Login).

Abuse reports have been processed to UnifiedLayer about the user running these scam websites.

As always, trust-trading is never going to be legitimate, never going to be worth your time. Stay far away and remember that nobody is ever going to give you money for free.

MyCrypto

The Official MyCrypto Blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store