Security experts are observing numerous massive scans going on for Bitcoin and Ethereum wallets in order to steal their funds.
The continuing increase of both Bitcoin and Ethereum price is attracting crooks that are spending a lot of efforts in the attempt to steal funds stored in the wallets used for these two cryptocurrencies.
Security researchers worldwide are observing an intensification of mass Internet scanning campaigns thanks the honeypots they set up to monitor the online threats.
The security expert Didier Stevens observed a significant scanning activity over the weekend, just two days before Bitcoin price jumped from $7,000 to over $8,000 (Consider that the Bitcoin’s price was roughly $200 just two years ago).
“I’ve seen a couple of such requests a couple of years ago, but it’s the first time I see that many,” Stevens wrote in a short post on the SANS Institute. “The first time I observed this was late 2013, in the middle of the first big BTC price rally.”
Of course, the crooks are exploring the possibility to target also other cryptocurrencies, such as the Ethereum. Very interesting the analysis proposed by Bleepingcomputer.com that reported the discovery made by the researcher Dimitrios Slamaris.
The security expert reported Internet wide Ethereum JSON-RPC scans.
The expert caught a JSON RPC call in his honeypot, someone was making requests to the JSON-RPC interface of Ethereum nodes that should be only exposed locally.
The access to the interface does implements any authentication mechanism and wallet apps installed on the PC can send command to the Ethereum client to manage funds.
It the interface is exposed inline, attackers can send requests to this JSON-RPC interface and issue commands to move funds to an attacker’s wallet.
Below the sequence of requests discovered by Slamaris:
“After I noticed that these are RPC calls to the Ethereum JSON API I implemented one valid response after another and managed to capture a full Ethereum robbery, which consist basically (to the best of my knowledge) of commands in the following order:”
- get information about block number 1 via eth_getBlockByNumber
- get managed accounts via eth_accounts
- get client version via web3_clientVersion
- get the current balance of the previously received account: eth_getBalance
- steal the gas via eth_sendTransaction from the previously received account”
Bot trying to steal Ethers from my honeypot, after enumerating "my" accounts, getting the balance and m client version! pic.twitter.com/8x9JBHs2aD
— Dimitrios Slamaris (@dim0x69) November 7, 2017
Early November, Slamaris uncovered another massive scan that allowed the attacker to steal 8 Ethers (about $3,200 at current exchange).
- 188.8.131.52 – Interserver Inc. (a New Jersey hosting company)
- 184.108.40.206 – NFOrce Entertainment BV (Durch hosting company)
Users running Ethereum nodes that necessarily need to have Internet access should disable the JSON-RPC interface’s inbound queries or proxy requests via a server to filter only approved clients.
What will happen in the next months?
No doubts, crooks will continue to scan the Internet for wallet accidentally exposed online.