Cryptocurrency’s rising fame and diverse storage methods expand the arsenal of tools used by threat actors chasing digital assets and funds.
The threat actors adapt their techniques and mimic legit sites based on target protection and potential theft size.
There are two email attack methods that target the top cryptocurrency storage approaches, and here below, we have mentioned them:-
- Hot wallets
- Cold wallets
Cybersecurity researchers at Kaspersky Lab recently discovered that threat actors are actively targeting cold wallets via crypto phishing attacks to steal funds.
Targeting Hot and Cold wallet
The hot wallet is a type of cryptocurrency wallet and this wallet constantly remains connected to the internet with unrestricted internet access.
Whereas a cold wallet (aka Cold storage) is an offline storage option, such as a dedicated device or a private key written on paper, that lacks constant internet connectivity.
The popularity of Hot wallets derives from their simplicity in creation and the convenience of two key elements:-
- Easy fund withdrawal
- Easy fund conversion
Due to their constant online accessibility and easy conveniences, large amounts are rarely stored in these wallets.
With minimal incentive to invest significantly, cybercriminals rarely employ original or complicated techniques in email attacks on hot wallets.
Phishing scams targeting hot wallet users often employ emails from reputable crypto exchanges, urging them to confirm transactions or verify their wallets.
Attackers Targeting the Hot Wallet
The seed phrase grants access to the account and enables transactions, so losing or exposing the seed phrase means permanent loss of the wallet, as it cannot be altered or retrieved.
Entering the seed phrase on a fraudulent webpage grants attackers the ability to transfer all funds to their own addresses since the seed phrase will give the attackers complete wallet access.
While in this case, the Cold wallets remain offline and lack remote access, which leads users to store significant amounts of funds. Since hardware wallets are invincible without theft or physical access.
In an email campaign targeting cold wallets, users receive an email masquerading as a Ripple cryptocurrency exchange, inviting them to participate in an XRP token giveaway.
Clicking the link leads users to a blog page displaying a post outlining the “giveaway” rules, with a direct registration link included.
Separating from regular hot wallet attacks, the scam employs an immersive blog post rather than a phishing link.
The attackers mimic Ripple’s website with high details for creating a pure matching domain, employing a Punycode phishing attack. While further examination reveals a Unicode character replacing the letter “r”:-
- https://app[.]xn--ipple-4bb[.]net -> https://app[.]ŗipple[.]net/
Users are prompted to connect to the following WebSocket address, upon clicking the link in the “blog” to the Ripple page that is fake:-
- wss://s2.ripple.com
The user is prompted to input their XRP account address, and the site presents authentication options, including selecting Trezor.
Choosing Trezor redirects to trezor.io, enabling device connection via Trezor Connect API for simplified transactions.
Scammers aim to lure victims to their sites and withdraw funds from their accounts.
Threat actors think tougher loot means bigger, and that’s why they use advanced tactics on supposedly secure hardware wallets, not like the ones for online crypto storage users.
“AI-based email security measures Protect your business From Email Threats!” – .
