Anatomy of Cryptophishing – Hydro Project

Cross-posted to “AdventuresInCyberSecurity.com” and “BecomeACyberSecurity.Expert”

PastedGraphic-2019-01-19-01-36.png

Logo is stolen from the real Hydro Protocol folks.

I get some interesting emails, and in particular, some interesting phishing emails. Most of them are quite poor, and fairly easy to spot, and the people constructing them don’t go through a lot of effort.

I received one today that was much more interesting — the perpetrators have gone to some effort to make their scam work.

It consists of three parts: the email, the Medium article, and the “Hydro Wallet”. All are fairly convincing. The Hydro Wallet even has an interesting little twist which I’ll detail below.

The first piece is the email:

Screenshot2019-01-19at01.19.17-2019-01-19-01-36.png

Page 1 of the email.

Note the “noreply@taxijetci” from address. I received another with the return of “noreply@soul-sister”.

Screenshot2019-01-19at01.19.23-2019-01-19-01-36.png

Page 2 of the email.

One thing the phishers did well in this email is to use standard mail tracking software (Mandrill App) which is what you’d normally get in any marketing email, and so my mail programme (MailMate) did not set off any alarms. When links are suspicious and/or don’t go to where they purport to go, Mailmate will highlight the address in red at the bottom of the screen, indicating at the very minimum that the link is suspicious.

Once you click the link, it takes you to a Medium article on the supposed Hydro Protocol:

Screenshot2019-01-19at01.37.23-2019-01-19-01-36.png

Page 1 of the “Hydro Protocol” Medium article. Note that it says “blog.hydroproject. co” at the top.

(Yes, I keep open a lot of tabs. This is even just one of five browsers, all of which are similar. I use Tab Suspender so they don’t take up RAM.)

Screenshot2019-01-19at01.37.29-2019-01-19-01-36.png

Page 2 of the “Hydro Protocol” Medium article.

Screenshot2019-01-19at01.37.35-2019-01-19-01-36.png

Page 3 of the “Hydro Protocol” Medium article.

Note the seeming legitimacy of everything so far. A marketing email like everyone gets dozens of times per days leads to an actual Medium article that in itself is not suspicious. It is ‘legitimately’ posted on Medium – and has 231 “claps” – and you’d have to be really sharp to look for the “project” part in the address bar. Clicking on any of the links except the first two in the numbered list takes you to the legitimate Hydro Protocol Medium site. Click those two links, however, and you’re brought to hydroproject .co.

I was still connected to Zscaler Internet Access when I went there the first time. Zscaler picked up on the security threat:

Screenshot2019-01-19at01.39.46-2019-01-19-01-36.png

The TLS isn’t to be trusted.

Disabling Zscaler Internet Access (I wouldn’t have been able to access anything on the site otherwise) so I could probe further is where the fun begins. The site itself is fairly impressive – it uses a modern Web 2.0 feel, contains pictures of the real Hydro Protocol team, links to various things, and overall looks exactly like what you’d expect from a new crypto team creating a new project. (Side note: some existing real projects could learn a thing or two here about how to present a particular technology.) You can give the phishers your email address (I gave a particular one so I can track what spam comes from there in the future):

Screenshot2019-01-19at01.39.34-2019-01-19-01-36.png

I used a unique email address (though not the one in the screenshot).

It’s worth noting it asks for an Ethereum address (ostensibly one with Ethereum in it) but you can put in any address. I used one I randomly found on Etherscan for the screenshot (which has no funds) and for the fake registration I used the Ethereum address of a popular exchange.

After you register, you don’t get any confirmation email or attempts to verify that the email is legitimate. That’s another indication the site is shady.

Once in, you’re greeted with a “setup” screen that has two parts:

Screenshot2019-01-19at01.14.20-2019-01-19-01-36.png

This is all actually generally good advice.

Note the line: “If you send your private key to someone, they now have full control of your account.”

Screenshot2019-01-19at01.14.44-2019-01-19-01-36.png

This is where the trap is set. It’s the list of instructions at this part of the setup that will get people in trouble.

Once you’re into the “Hydro Wallet” you’re presented with a fairly reasonable screen that shows transactions that you’ll recognise if you’d used your own address:

Screenshot2019-01-19at10.31.47-2019-01-19-01-36.png

These are legitimate transactions for this address. (This is a contract address, which means they make no attempt to check the address type, but then they wouldn’t.) They’re pulling the information directly from something like Etherscan, so the transactions would be seen by the user and they would recognise them.

Clicking on the “Claim HYD Tokens” is the actual trap:

Screenshot2019-01-19at01.09.29-2019-01-19-01-36.png

Note that they give you three handy ways to lose your money!

In the “Claim HYD Tokens” dropdown, you can provide the phishers with your Private Key, your Mnemonic Phrase, or your UTC / JSON file (the latter being more used by web wallets like “My Ether Wallet”). Note that you were forewarned during the ‘set up’ not to actually provide this information!

Screenshot2019-01-19at01.09.39-2019-01-19-01-36.png

Choosing this if you want to lose your money with your Private Key.

 

Screenshot2019-01-19at01.10.07-2019-01-19-01-36.png

Choose this if you want to type in your mnemonic phrase to lose your money.

Screenshot2019-01-19at01.10.19-2019-01-19-01-36.png

You can also drag & drop to lose your money!

I chose the passphrase method to investigate further. Obviously I wasn’t going to use a legitimate passphrase, but making up twelve random words wasn’t particularly taxing. (Whereas generating a private key or UTC/JSON file would have been more work. 😉 ) They of course have all the popular wallets so when they set it up on the backend, they know exactly which wallet to use to steal your crypto.

After coming up with twelve random words, I typed them in:

Screenshot2019-01-19at02.03.14-2019-01-19-01-36.png

Note that you can optionally provide them your password as well!

Screenshot2019-01-19at02.03.53-2019-01-19-01-36.png

They start enumerating all the possible addresses associated with that mnemonic – very quickly.

After that, they start scanning for balances – or – and I’d have to use a legitimate passphrase to determine this – they might be zeroing them out – it’s difficult to tell without using something that actually has money in it.

Screenshot2019-01-19at02.03.46-2019-01-19-01-36.png

From the screenshot above where it says “Please wait” to this is actually REALLY quick – I had great difficulty getting the “Please Wait” and had to settle for a fullscreen screenshot.

Suffice it to say that if you get this far, your crypto is gone. You’ll not only lose all your Ethereum, you’ll lose every single ERC-20 token that you have as well.

What makes this particularly effective if you’re not paying attention are the following:

  1. The marketing email went to a legitimate email address. It’s one I’ve associated with crypto in the past. Thankfully, since I use a separate email address for literally everything (catchalls are great) I knew not to expect such an email from the organisation that purportedly sent me the email.
  2. The email itself seems like a legitimate email with proper tracking and redirection technology.
  3. It redirects to a seemingly legitimate Medium article first, copying a practise the actual organisation they’re spoofing uses.
  4. The links on that Medium article, when clicked, all lead to the actual project, with the exception of only two.
  5. The phishing site’s initial pages are virtually identical to the real thing, and they use a “.co” address exactly like the real thing – the only difference is “protocol” for the legitimate one and “project” for the phishing site.
  6. When you get into the “Web Wallet” (an experience that would be familiar to crypto noobs) they present you with transactions you would recognise as your own if you use your own address.
  7. The biggest factor is of course greed. There are quite legitimate forks of cryptocurrency technology, as well as legitimate airdrops. They position this as an airdrop (free tokens!) and then tell you in the email it only lasts three days. That preys directly on the fear of missing out – FOMO.

If I’ve time, I’m going to see what happens when you use an address that actually has money in it – how quick that money goes. Obviously I won’t use a lot, but I think it would be interesting to see what the actual process is from this point, and where the money ends up. I’ll also be hopefully working with some folks to try and get this shut down. It’s worth noting the actual Hydro team already knows about it and has a pinned tweet to the top of their Twitter indicating they are never forking anything and that people should be aware of phishing attempts.

PastedGraphic1-2019-01-19-01-36.png

The actual Hydro Protocol folks are aware and warning people.

As always, please take care on the internet. Crypto forks and airdrops are common, but one must be careful!