A hacker with their arms raised

Hackers break into scam websites to hijack crypto transactions

In a perfect example of the lack of honor among thieves, a threat actor named Water Labbu hacks cryptocurrency scam sites to inject malicious JavaScript that steals money from the scammer’s victims.

in july, FBI warns of ‘dApps’ scams (Decentralized Applications) that spoofed cryptocurrency liquidity mining services but actually stole the victim’s crypto investment.

Liquidity mining is when an investor lends their cryptocurrency to a decentralized exchange in exchange for high rewards, usually generated through trading fees.

However, instead of creating their own scam sites, Water Labbu hacks these types of fake dApps and injects JavaScript code into the site’s HTML.

Scam site infected with Water Labbu's DApp
Scam site infected with Water Labbu’s DApp (Trend Micro)

The hackers do not deal with the victims and instead leave all the work of social engineering to the fraudsters.

When an investor connects to their wallet with a dApp, the Water Labbu script will detect if it contains too many crypto holdings, and if so, try to steal it using various methods described below.

According to analysts, Water Labbu hacked at least 45 scam websites, most of which follow the theme of the “Lossless Mining Liquidity Pledge.”

Trend Micro says the profits made by Water Labbu are estimated to be at least $316,728 based on transaction records from nine identified victims.

There is no honor among thieves

The parasite threat actor identifies cryptocurrency scam websites and injects “dapps” with malicious scripts that blend seamlessly with the site’s systems.

In one case we analyzed, Water Labbu injected an IMG tag to load a Base64-encoded JavaScript payload using an ‘onerror’ event, in what is known as XSS avoidance, to bypass cross-site scripting (XSS) filters. Trend Micro Report.

Then the injected payload creates another script element that loads another script from the tmpmeta delivery server[.]com”.

The script monitors newly connected wallets on scam sites and retrieves the addresses and balances of TetherUSD and Ethereum wallets.

Scenario collecting connected wallet balances
Scenario collecting connected wallet balances (Trend Micro)

If the balance is above 0.005 ETH or $22,000, the target is valid for Water Labbu, then the script determines whether the victim is using Windows or a mobile operating system (Android, iOS).

If the victim is on a mobile device, the Water Labbu malicious script sends the transaction approval request via the dApp, so it looks as if it comes from the fraudulent website.

If the recipient agrees to the transaction, the malicious script will drain their money from the wallet and send it to an address owned by Water Labbu.

Malicious transaction request
Malicious transaction request (Trend Micro)

For Windows users, hacked sites will display a fake Flash Player update notification overlayed on the scam site instead. The flash installer, in fact, is a backdoor fetched directly from GitHub.

The threat actors then use this backdoor to steal cryptocurrency wallets and cookies from the device.

Water Labbu . attack scheme
Water Labbu . attack scheme (Trend Micro)

cheated twice

For victims, the outcome is the same; They lose all their cryptocurrency.

The only thing that has changed with this attack is the transfer of the victim’s digital assets from the original scammer to the Water Labbu hacking group.

To avoid these types of scams, always look for dApp sites, especially liquidity mining platforms, to determine if they are legitimate before connecting your wallet to them.

Also, periodically review the allowed sites in your wallet to ensure that you have not inadvertently added a fraudulent site.

Finally, never jump into investing with strangers you meet on social media, as they usually lead to scams, and avoid trading cryptocurrencies on unknown exchanges.

#Hackers #break #scam #websites #hijack #crypto #transactions

Leave a Comment

Your email address will not be published. Required fields are marked *