Multiple exchanges were attacked by mail phishing, BTC worth over $400,000 or stolen

According to the slow fog technology news, recently, several digital currency exchanges reported to the slow fog security team that they received extortion information .

The blackmailer sends a message to the exchange or a Telegram message stating that the exchange has a vulnerability that, once attacked, will result in the platform being unable to be opened. To get a vulnerability report, you need to pay BTC to the specified address . However, after multiple exchanges indicated that they paid BTC, the other party only sent a preliminary vulnerability report or no response.

The slow fog partner and security chief One Piece told Babbitt,

“There are currently five exchanges that have reflected this to us. The blackmailers use different mailboxes or Telegram IDs to send extortion emails to the relevant person in charge of the exchange, ranging from 0.1BTC to 2BTC , and using Is a different BTC address."

As of press time, according to incomplete statistics, the blackmail ID of the blackmailer is @zed1331 , @bbz12 , @samzzcyber , the mailbox has mikemich@protonmail.com , the BTC address is 3GQQt2zJnPAWvirym7pbwvNTeM5igGuKxy , and the address is accounted for about 43.45 BTC (about 404,100 US dollars). As shown below.

WX20190618-131749

Screenshot from Blockchain.com

1

One Piece provided the original text of the fraudulent mail to Babbitt (as shown in the appendix at the end of the article). The mail said that “the exchange exists in the 'Web service integer overflow' vulnerability . Once attacked, the web server will crash and eventually cannot be accessed…. We can solve this kind of vulnerability problem… To get the vulnerability report, we need to pay 2 BTCs to the specified address."

It is worth noting that the email also stated that “As of March 1, 2019, a reward of approximately US$100,000 has been received. The rewards include KuCoin , CoinSwitch, Phantasma, PlatonFinance, Vulnerability Analysis, STEX Exchange, XCOYNZ Project. Wait."

One Piece revealed to Babbitt that after contacting the relevant person in charge of the KuCoin exchange, the person in charge said that there is indeed a Telegram user reflecting the loophole problem (as shown below), but KuCoin did not pay the 2BTC bounty, reminding everyone not to believe the liar.

Unnamed file Screenshot provided by KuCoin related person in charge

There is also a phishing email related to Linkedin, which is roughly as follows:

Hey, We have found a nefty integer overflow vulnerability on >> https://www.xxx.com

Attacker could alter webserver. I have experience working to upgrade security for large exchanges,like xxx, and would like to propose about this.

May we go on to demonstrate this vuln?

You can verify me as an security researcher on LinkedIn as follows: => https://www.linkedin.com/in/xxxxx/

One Piece analysis said,

"The email contains a Linkedin link, because you need to log in to your personal account on the Linkedin platform to view your personal information, so when the exchange staff logs in to their Linkedin account to view the Linkedin account information of the person who submitted the vulnerability (probably a phishing attacker) The attacker can also view information about the exchange staff to get additional information about their social platform."

2

In recent years, the amount of funds in the digital currency market has exploded, and security risks dominated by trading market manipulation risks, trading platform risks, fraud risks, and wallet risks are not uncommon.

In addition to the above-mentioned mail phishing attacks, other types of phishing attacks include domain phishing (using a website similar to the official website), Twitter 1 for 10 (paying 0.5-10 ETH rebate 5-100 ETH), fake APP and fake staff.

The so-called "phishing attack" refers to an attacker pretending to be a trusted person or institution to obtain private information such as the user name, password, and private key of the recipient through email, communication software, social media, and the like.

One Piece believes that in the case of the mail phishing attack, some of the exchanges were deceived mainly because the exchange lacked the professional security vulnerability judgment ability , and the information isolation caused it to fail to make an accurate judgment on the overall situation of the current vulnerability. He says,

"For the exchange, regardless of whether the other party has actually discovered the loophole, as long as the price is right, they are willing to spend money to gamble. If the gambling is right, then the exchange can be less exposed to the public relations crisis of the vulnerability, or less The possibility of a platform being attacked; if the gambling is lost, there are not many losses that can be tolerated. The scammers use the psychology of the exchange."

For the exchange that first encountered a phishing attack, he suggested that

"First, don't open any links or files in the content sent by the attacker with an excitement. There may be a Trojan virus. Second, don't transfer it to the attacker BTC until the attacker has not exactly told the details of the vulnerability. Finally, if there is an exchange Can not accurately judge and deal with it alone, you can contact the security company for assistance."

Attached (fishing mail original):

It's more like an vulnerability which allows an attacker to crash the webserver of the following website. "Integer -overflow" related. The attack vector itself holds a huge security risk, when exploited, the webserver could crash due to it, and eventually be unreachable The flaw has been done through exploitable web elements on your website.

Our proposal is based on information-security (infosec) regarding cybersecurity.

Confidentiality: assist infosec wisely to implement firewalls, intrusion detectors and prevention technologies to ensure reliable provided service. (not actual server access required.)

Availability: In order to ensure that I would have infosecurity on redundancy and backups, when/if one of the servers is down, the second server would replace it and ensure that the services are up and running without any downtime.

General knowledge => This type of attack as demonstraded are based on exploiting website elements: these can include forms, direct webserver exploit, or DNS leaking for the actual backend server, which gives an malicious attacker multiple chances to work with.

We'd address the required knowledge needed to counter this type of threats.

The following items listed below are our main focuses what we will send reports to regarding, next to every "to be addressed" phase;

We have added in a short meaning on what does it include as can be seen.

• The audit process 1.1 Audit planning & preparation 1.2 Establishing audit objectives 1.3 Performing the review 1.4 Issuing the review report

• The audit System 2.1 Networking Security 2.2 Backend Installation / Security 2.3 API Audition 2.4 CDN + Anti malicious attacks protection 2.5 Code Audit: checking vulnerability in any PHP / ASP / JS code

Vouches by companies:

[Make sure to check the provided link for vouch.]

1. KuCoin => { https://i.imgur.com/y0AXMCn.jpg ]

2. CoinSwitch => https://i.imgur.com/l8D8g9p.jpg ]

CoinSwitch Contract example => https://i.imgur.com/P2hMNxD.jpg

3. Phantasma => https://i.imgur.com/y1QCOuL.jpg ]

4. PlatonFinance => https://i.imgur.com/189Ejdz.jpg ]

5. Vulnerability Analysis (just an example)

=> https://i.imgur.com/V0C19KZ.jpg

And many more.

6. STEX Exchange paid 3 BTC for our infosec and analysis: => https://m.imgur.com/18tAXah

7. Proof of Kucoin Payment to us: https://i.imgur.com/trBbVKP.jpg

8. XCOYNZ Project: https://i.imgur.com/UbUliaI.jpg

Proof of compensations: Different companies which some included be seen in multiple vouches above, have rewarded me almost total of [$102,783.91 USD on 01/03/2019 rate for security related bounties, cybersecurity, demonstrations, and different VA reports.

Blockchain URL: => https://www.blockchain.com/btc/address/3GQQt2zJnPAWvirym7pbwvNTeM5igGuKxy

Pricing for the Infosec/Audit offered: => 2 BTC

To make it clear the price will be one-time payment and afterwards there won't be any charge. You can consult us further at anytime.