Double check if your Bitcoin/Ethereum wallet is exposed online, crooks are running massive Internet scans

Pierluigi Paganini November 24, 2017

Security experts are observing numerous massive scans going on for Bitcoin and Ethereum wallets in order to steal their funds.

The continuing increase of both Bitcoin and Ethereum price is attracting crooks  that are spending a lot of efforts in the attempt to steal funds stored in the wallets used for these two cryptocurrencies.

Security researchers worldwide are observing an intensification of mass Internet scanning campaigns thanks the honeypots they set up to monitor the online threats.

The security expert Didier Stevens observed a significant scanning activity over the weekend, just two days before Bitcoin price jumped from $7,000 to over $8,000 (Consider that the Bitcoin’s price was roughly $200 just two years ago).

The researcher observed a huge number of requests to his honeypot to retrieve Bitcoin wallet files:
wallet – Copy.dat
wallet.dat
wallet.dat.1
wallet.dat.zip
wallet.tar
wallet.tar.gz
wallet.zip
wallet_backup.dat
wallet_backup.dat.1
wallet_backup.dat.zip
wallet_backup.zip
Accessing to such archives will allow cyber criminals to steal the victims’ funds.

“I’ve seen a couple of such requests a couple of years ago, but it’s the first time I see that many,” Stevens wrote in a short post on the SANS Institute. “The first time I observed this was late 2013, in the middle of the first big BTC price rally.”

Bitcoin Ethereum wallet scans

Of course, the crooks are exploring the possibility to target also other cryptocurrencies, such as the Ethereum. Very interesting the analysis proposed by Bleepingcomputer.com that reported the discovery made by the researcher Dimitrios Slamaris.

The security expert reported Internet wide Ethereum JSON-RPC scans.

The expert caught a JSON RPC call in his honeypot, someone was making requests to the JSON-RPC interface of Ethereum nodes that should be only exposed locally.

The access to the interface does implements any authentication mechanism and wallet apps installed on the PC can send command to the Ethereum client to manage funds.

It the interface is exposed inline, attackers can send requests to this JSON-RPC interface and issue commands to move funds to an attacker’s wallet.

Below the sequence of requests discovered by Slamaris:

“After I noticed that these are RPC calls to the Ethereum JSON API I implemented one valid response after another and managed to capture a full Ethereum robbery, which consist basically (to the best of my knowledge) of commands in the following order:”

  • get information about block number 1 via eth_getBlockByNumber
  • get managed accounts via eth_accounts
  • get client version via web3_clientVersion
  • get the current balance of the previously received account: eth_getBalance
  • steal the gas via eth_sendTransaction from the previously received account”

Early November, Slamaris uncovered another massive scan that allowed the attacker to steal 8 Ethers (about $3,200 at current exchange).

Slamaris teamed with SANS Internet Storm Center expert Johannes Ullrich also uncovered a second campaign that took place this week, they discovered two IP addresses are scanning specifically hard using these requests:
  • 216.158.238.186 – Interserver Inc. (a New Jersey hosting company)
  • 46.166.148.120 – NFOrce Entertainment BV (Durch hosting company)

“If you are using Ethereum, and if you are running an Ethereum node, then please make sure the node is not listening to inbound queries. As far as I can tell, these requests are simple HTTP requests, they are not protected by same-origin policy and can easily be issued via Javascript.” states the post published by the SANS Institute.

Users running Ethereum nodes that necessarily need to have Internet access should disable the JSON-RPC interface’s inbound queries or proxy requests via a server to filter only approved clients.

“It would be trivial to have Javascript look for a node on the host connecting to a web server, even if the host is behind NAT. Probably because investors in cryptocurrencies are used to taking risks, the JSON RPC interface does not provide for authentication. Instead, if you do want to use any form of authentication, you have to proxy the queries via a server like Nginx that is then able to filter and authenticate requests.”

What will happen in the next months?

No doubts, crooks will continue to scan the Internet for wallet accidentally exposed online.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – cryptocurrencies, Ethereum wallet)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment