Multiple exchanges were attacked by email phishing, and BTC worth more than $400,000 may have been stolen

According to SlowMist Technology, recently, a number of digital currency exchanges reported to the SlowMist security team that they had received blackmail messages .

The blackmailer sent an email or Telegram message to the exchange, saying that the exchange had a vulnerability and once attacked, the platform would be unable to be opened. To obtain a vulnerability report, BTC must be paid to the specified address . However, several exchanges stated that after they paid BTC, the other party only sent a preliminary vulnerability report or did not respond.

SlowMist partner and security director Hai Zi Wang told Babbitt,

“Five exchanges have reported this to us. The blackmailers used different email addresses or Telegram IDs to send blackmail emails to the relevant persons in charge of the exchanges. The blackmail amount ranged from 0.1BTC to 2BTC , and different BTC addresses were used.”

As of press time, according to incomplete statistics, the blackmailer's Telegram IDs are @zed1331 , @bbz12 , @samzzcyber , the email address is [email protected] , and the BTC address is 3GQQt2zJnPAWvirym7pbwvNTeM5igGuKxy . The address has received approximately 43.45 BTC (approximately US$404,100), as shown in the figure below.

Screenshot from Blockchain.com

1

One Piece provided Babbitt with the original text of the fraudulent email (as shown in the appendix at the end of the article). The email stated, " The exchange has a 'Web Service Integer Overflow' vulnerability . Once attacked, it will cause the Web server to crash and eventually become inaccessible... We can solve this type of vulnerability problem... To obtain a vulnerability report, you need to pay 2 BTC to the specified address."

It is worth noting that the email also pointed out that "as of March 1, 2019, about $100,000 in bounties have been received, and the rewarding organizations include KuCoin , CoinSwitch, Phantasma, PlatonFinance, Vulnerability Analysis, STEX Exchange, XCOYNZ Project, etc."

One Piece revealed to Babbitt that after contacting the relevant person in charge of the KuCoin exchange, the person in charge said that there were indeed Telegram users who reported the vulnerability (as shown below), but KuCoin did not pay the 2BTC bounty, reminding everyone not to believe in scammers.

Screenshot provided by KuCoin official

There is also a type of phishing email related to Linkedin, the general content is as follows:

Hey, We have found a nefty integer overflow vulnerability on => https://www.xxx.com

Attacker could alter webserver. I have experience working to upgrade security for large exchanges,like xxx, and would like to propose about this.

May we go on to demonstrate this vuln?

You can verify me as an security researcher on LinkedIn as follows: => https://www.linkedin.com/in/xxxxx/

One Piece analyzed that,

“The email contains a Linkedin link. Because you need to log in to your personal account to view personal information on the Linkedin platform, when the exchange staff logs in to their Linkedin account to view the Linkedin account information of the person who submitted the vulnerability (probably a phishing attacker), the attacker can also view the information of the exchange staff and obtain other information on their social platform.”

2

In recent years, the amount of funds in the digital currency market has exploded, and security risks such as trading market manipulation risk, trading platform risk, fraud risk, and wallet risk are common.

In addition to the above-mentioned email phishing attacks, other types of phishing attacks include domain name phishing (using a URL similar to the official website), Twitter 1 for 10 (paying 0.5-10ETH and getting a rebate of 5-100ETH), fake apps and fake staff, etc.

The so-called "phishing attack" refers to an attacker disguising himself as a trustworthy person or organization to obtain the recipient's user name, password, private key and other private information through email, communication software, social media, etc.

One Piece believes that the reason why some exchanges were deceived in this email phishing attack is mainly because the exchanges lack professional security vulnerability judgment capabilities and the information isolation makes it impossible to make an accurate judgment on the overall situation of the current vulnerability. He said,

“For exchanges, no matter whether the other party has really discovered a vulnerability or not, as long as the price is right, they are willing to spend money to gamble . If the gamble is right, then the exchange can avoid a public relations crisis of the vulnerability being exposed, or reduce the possibility of the platform being attacked; if the gamble fails, the loss is not much and can be tolerated. Scammers take advantage of this mentality of the exchanges.”

For exchanges that are experiencing phishing attacks for the first time, he recommends:

“First, do not open any links or files sent by the attacker out of excitement, as they may contain Trojans or viruses. Second, do not transfer BTC to the attacker before the attacker tells you the exact details of the vulnerability. Finally, if an exchange cannot make an accurate judgment and handle the situation on its own, you can contact a security company for assistance.”

Attached (Original phishing email):

It's more like an vulnerability which allows an attacker to crash the webserver of the following website. "Integer -overflow" related. The attack vector itself holds a huge security risk, when exploited, the webserver could crash due to it, and eventually be unreachable. The flaw has been done through exploitable web elements on your website.

Our proposal is based on information-security (infosec) regarding cybersecurity.

Confidentiality: assist infosec wisely to implement firewalls, intrusion detectors and prevention technologies to ensure reliable provided service. (not actual server access required.)

Availability: In order to ensure that I would have infosecurity on redundancy and backups, when/if one of the servers is down, the second server would replace it and ensure that the services are up and running without any downtime.

General knowledge => This type of attack as demonstred are based on exploiting website elements: these can include forms, direct webserver exploit, or DNS leaking for the actual backend server, which gives an malicious attacker multiple chances to work with.

We'd address the required knowledge needed to counter this type of threats.

These following items listed below are our main focuses what we will send reports to regarding, next to every "to be addressed" phase;

We have added in a short meaning on what does it include as can be seen.

• The audit process 1.1 Audit planning & preparation 1.2 Establishing audit objectives 1.3 Performing the review 1.4 Issuing the review report

• The audit System 2.1 Networking Security 2.2 Backend Installation / Security 2.3 API Audition 2.4 CDN + Anti malicious attacks protection 2.5 Code Audit: checking vulnerability in any PHP / ASP / JS code

Vouches by companies:

[Make sure to check the provided link for voucher.]

1. KuCoin => { https://i.imgur.com/y0AXMCn.jpg ]

2. CoinSwitch => https://i.imgur.com/l8D8g9p.jpg ]

CoinSwitch Contract example => https://i.imgur.com/P2hMNxD.jpg

3. Phantasma => https://i.imgur.com/y1QCOuL.jpg ]

4. PlatonFinance => https://i.imgur.com/189Ejdz.jpg ]

5. Vulnerability Analysis (just an example)

=> https://i.imgur.com/V0C19KZ.jpg

and many more.

6. STEX Exchange paid 3 BTC for our infosec and analysis: => https://m.imgur.com/18tAXah

7. Proof of Kucoin Payment to us: https://i.imgur.com/trBbVKP.jpg

8. XCOYNZ Project: https://i.imgur.com/UbUliaI.jpg

Proof of compensations: Different companies which some included be seen in multiple vouchers above, have rewarded me almost total of [$ 102,783.91 USD on 01/03/2019 rate for security related bounties, cybersecurity, demonstrations, and different VA reports.

Blockchain URL: => https://www.blockchain.com/btc/address/3GQQt2zJnPAWvirym7pbwvNTeM5igGuKxy

Pricing for the Infosec/Audit offered: => 2 BTC

To make it clear the price will be one-time payment and afterwards there won't be any charge. You can consult us further at anytime.