26 Apr 2023
Fake crypto websites are constantly rolled out as part of ever more elaborate cryptocurrency scams.
"Most crypto scams aren't really new so much as wrapping up an old gimmick in new clothes."
Below, we're dissecting one of these scams to help you:
Most crypto scams aren't really new so much as wrapping up an old gimmick in new clothes.
In Terry Pratchett's delightful novel "Going Postal," he talks about how difficult it is to scam an honest person. But someone greedy and wanting to take advantage of others is an easy mark.
And while the book was published in 2004, well before Bitcoin was even established, the spirit of such a scam is alive and well in this DM I received on Twitter.
In the screenshot, it seems as though they've just accidentally given you access to an account with 41BTC on it ($1.5 million).
An honest person would delete the message as it wasn't for them. A very honest person would respond and let them know they'd made a mistake.
But they're betting that you're a greedy mark, will think that maybe this is some elderly relative and that you'll take advantage of a mistake.
The LoginURL is still active, so I'm not sharing it, but the site looks like a normal albeit bare-bones crypto exchange site.
After logging in (with the "leaked" credentials), you'll find that the only way to transfer the money out is to put in your credentials for a more reputable exchange (Coinbase).
At this point, they remotely log into your Coinbase account and transfer all your funds to their own wallet, leaving you nothing.
So, how to spot this? While your greatest defense is not being a scumbag who rips off the elderly, a close second is looking into the domain and IP address reputation of these sites.
Note: while there are lists of fake crypto exchanges that get published, it's so easy to slap a new domain on a site that they're near worthless, as it's impossible to keep them up to date.
Currently, the domain is not on any of the normal "bad domain" lists like Google's Harmful Site list.
However, by resolving the IP address of the domain with https://www.whatsmydns.net/, I was able to look up its reputation...and it's really bad.
The report shows a couple of big things:
SpamHaus is (as you would guess) involved with stopping email spam.
But in practice, hijacked hosts and ISPs that don't filter their traffic get used for all sorts of attacks.
You can access the IP Lookup tool used above here:
It's free and ties into the open-source web app firewall project we're building.
We're on a mission to better secure every web app on internet. Here's some ways you can jump in:
Wafris is the free open source WAF that you can use to understand and visualize the requests hitting your apps and then take steps to protect them. It's still in early development, but you can signup for the waitlist to get early access at wafris.org
Bad bots and probes hit sites within minutes of being put on the Internet. Sort the good from the bad by identifying request IPs as coming from bots, Tor networks, VPNs, proxies and malware hosts at wafris.org/ip-lookup
If you have any questions or need help finding the right way to handle web app security issues, please let us know at: email@example.com