AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Lightshot online10/31/2023 ![]() Therefore, it can be concluded that many victims have fallen for this scam. The wallets’ addresses contained in the websites are the following: CurrencyĠx9fde7bd79830b7c6df049c9b6fcf6f04f7c9e62bĠx90D51665164baf6eCF29cDAcDC9390FB7660bb0cĪs of the time of writing, they have up to dozens of transactions for a total of around 0.2384 BTC and 1 ETH. Note that the URL contains one of the websites mentioned above. This page is the same used in some of the other websites. For instance, this is the page that appears when navigating to 134: Two of the four IPs show some connections with the fake websites. Two of the three favicons have the following matches: Their MurmurHash values have been calculated and searched for on Shodan: in this way new, different IPs using the same favicon were discovered. The websites discussed above use three different favicons. Following is a snippet of the part shown when chosing to withdraw BTC:Īs can be seen, everything is hardcoded and simply aims at having the user pay the fee. The ones with the first template contain a plaintext JS script in the HTML source code that generates the confirmation request. ![]() The websites’ malicious intents are visibile through their source code. When trying to withdraw money, the websites prompts the user to confirm the request by sending a small fee to an address controlled by the actors. It looks like the only thing that can be done is logging in with the fake account: even then, the only available working operation seems to be withdrawing cryptocurrencies.Įxample of a profile page on a different fake website: there is no possibility to signup, some links are not leading anywhere, and contact information are made up. Although at first glance they appear to be legitimate, a closer look reveals that their functionality is somewhat broken, e.g. However, the websites are thought to use other bitcoin exchanges’ parts: in fact, they appear as if they are up-to-date, full-fledged and complete modern websites with dashboards, legal information and “About us” pages. Searching on urlscan for the favicons’ hashes show that the first template is partially copied by cex.io, a legitimate bitcoin exchange. The actor employs two different websites templates: one is used by crypto-wallet-btc, sell-buy-btc, sellbuy-btc and bit-trading, while the other one is used by crypto-trade24, btc-ex and bit-trade. For instance, the websites sell-buy-btconline and bit-tradingonline, small variations of the domains above, are hosting the same fake sites. Searching for similar websites on urlscan yields some results, suggesting that there may be many others. Their WHOIS information show no common signs, other than the fact that they are all relatively new domains, registered a few weeks to some months ago. Some examples are reported below.Ī total of five different fake websites has been discovered: The images range from fake gmail screenshots of a password reset notification with cleartext credentials, to notepad++ screenshots, up to even handwritten notes. The URL can be easily changed to view other screenshots, and while doing so one can quickly notice a pattern consisting of several images of login information to websites related to bitcoins. Once taken, the screenshot can be uploaded to prnt.sc with a unique URL. ![]() Lightshot comes as an executable that installs itself as a service and waits for the user to press the PrintScreen button. Following is a more detailed explanation of the scam’s mechanisms. The core idea is that people bruteforcing the website’s URLs are going to find and log into these fake exchanges and try to withdraw the money, but in order to do that they must first give some money to the actors. These websites are fake and contain no functionality other than asking for a small fee to confirm cryptocurrency withdrawals. Considering the lack of access controls and the predictability of the URI, other people’s screenshots can be easily viewed by bruteforcing the URL.Īn unkown actor is uploading several images containing login information to bitcoin exchange websites, with accounts that appear to have some balance. Lightshot is a screenshot capturing program that allows screenshots to be uploaded to a web-based service hosted on prnt.sc, in order for them to be easily shared: their URI is composed of a seemingly random seven characters alphanumeric string, e.g.: prnt.sc/12abcdef. A type of scam regarding the abuse of the online screenshots sharing service Lightshot has been identified in the wild.
0 Comments
Read More
Leave a Reply. |