Malware that steals clipboard data of Crypto Wallets
Malware that steals clipboard data is always developing
recently, researchers identified a new variation that comes with an intriguing new feature.
And regrettably I have have a few encounters with this virus, but we'll get to that in a second. This malware is simple, but stealthy, and if you're not cautious it might cost you a lot of crypto. And if you don't know what this sort of malware is, you absolutely should.
When you make a payment using cryptocurrency, you will often copy the payment address before putting it into your wallet. "Clipboard hijacking malware" takes advantage of this common practice, which you may not be acquainted with.
Any information that is copied to your computer's clipboard is then checked against a list of regular expressions that are designed to match cryptocurrency wallet addresses by this kind of malicious software.
In the event that a match is discovered, it will substitute one of its own crypto addresses for the one that was found.
When you press "paste," you run the risk of inadvertently transmitting your cryptocurrency to online fraudsters.
As I said before, I've had a handful of experiences with it, and it truly is one of the sneakiest types of malware that is currently available.
So, I operate an online shop called maltronics.com, where I offer a variety of pentesting equipment, and I accept payments in cryptocurrencies like Bitcoin and Litecoin.
There have been multiple occasions in which consumers have emailed me saying they have paid for their purchase; yet, the checkout page does not recognize that they have done so. In some cases, these customers have expressed anger.
In one instance, a customer reported to me, "I think there is something wrong with your Coinbase payment web page, when you click "copy" the eth address, the address is different every time." This was an obvious indication that the customer's computer was infected, as the customer proceeded to list a number of addresses that appeared on their clipboard each time they hit the copy button.
And by checking these addresses on etherscan, you'll discover that they've received payments totaling thousands of dollars. There are even comments from individuals indicating that they transferred their cryptocurrency to this address by accident, not realizing that their error was the consequence of malware.
And to add insult to injury, people are responding to these comments saying that if you get in touch with a certain email, "they should be able to reverse your transaction." However, they charge for this service, which is of course just another scam; in what seems to be a case of the same cyber criminals behind the malware, double dipping is occurring.
After you have pasted a URL, check to see that the last few characters are the same as the address you have copied. If they are, you won't have to worry about "clipboard hijacking malware," which is a pretty simple threat to defend against.
This, however, is about to change as a result of a new piece of malware known as Laplas.
A membership to this virus costs $59 per month and can be purchased on hacker forums. In exchange, cyber criminals are given access to a web interface that allows them to produce executables, monitor their infections, and manage their cryptocurrency wallets.
However, it has a one-of-a-kind characteristic that has contributed to the rise in demand for it among online criminals.
Laplas makes sure to replace wallet addresses with addresses that have the same last few characters as the original addresses. This dramatically increases the likelihood that even if you checked these last few characters, you wouldn't notice that it's a completely different address, which is a significant upgrade for online criminals. Laplas's method is a significant step up for online criminals.
However, the manner in which the developers implemented this feature is still a bit of a mystery. For example, the generation of a bitcoin address that includes a particular string at the end could take a few seconds depending on the hardware of a victim, which is potentially longer than the amount of time it would take for a victim to paste the address.
Therefore, it is plausible that the creators utilized a program such as vanitygen to precompute billions of wallet addresses and then just substituted them in when necessary.
Whatever the case may be, the next time you paste a cryptocurrency address, you may save some money by quickly scanning over the whole thing.