據慢霧科技訊息,近日,多家數字貨幣交易所向慢霧安全團隊反映,其收到了敲詐勒索資訊。敲詐者向交易所傳送郵件或Telegram訊息稱,交易所存在漏洞,一旦被攻擊,將導致平臺無法被開啟。若要獲取漏洞報告,需向指定的地址支付BTC。然而,多家交易所表示其支付BTC後,對方只傳送了初步的漏洞報告或沒有迴應。
慢霧合夥人兼安全負責人海賊王向巴位元表示,“目前已有5家交易所向我們反映了這種情況,敲詐者使用不同的郵箱或Telegram ID,向交易所的相關負責人傳送敲詐郵件,敲詐金額為0.1BTC至2BTC不等,並且使用的是不同的BTC地址。”
截至發稿,據不完全統計,敲詐者的Telegram ID有@zed1331、@bbz12、@samzzcyber,郵箱有[email protected],BTC地址有3GQQt2zJnPAWvirym7pbwvNTeM5igGuKxy,該地址入賬約43.45個BTC(約40.41萬美元),如下圖。
截圖自Blockchain.com
海賊王向巴位元提供了詐騙郵件原文(如文末附錄所示),郵件稱,“交易所存在‘Web服務整型溢位’漏洞,一旦被攻擊,將導致Web伺服器崩潰,最終無法訪問.....我們能解決此類漏洞問題......若要獲取漏洞報告,需支付2個BTC至指定地址。”
值得注意的是,該郵件還指出,“截至2019年3月1日,已獲得了約10萬美元的賞金,打賞機構包括KuCoin、CoinSwitch、Phantasma、PlatonFinance、Vulnerability Analysis、 STEX Exchange、XCOYNZ Project等。”
海賊王向巴位元透露,在與KuCoin交易所的相關負責人取得聯絡後,負責人表示確實有Telegram使用者反映漏洞問題(如下圖),但KuCoin並未支付2BTC賞金,提醒大家不要相信騙子。
截圖由KuCoin相關負責人提供
還有一類與Linkedin相關的釣魚郵件,大致內容如下:
Hey, We have found a nefty integer overflow vulnerability on => https://www.xxx.com
Attacker could alter webserver. I have experience working to upgrade security for large exchanges,like xxx, and would like to propose about this.
May we go on to demonstrate this vuln?
You can verify me as an security researcher on LinkedIn as follows: => https://www.linkedin.com/in/xxxxx/
海賊王分析稱,“郵件包含一個 Linkedin連結,因為在Linkedin 平臺上需要登入個人賬號才能檢視個人資訊,所以當交易所工作人員登入自己的 Linkedin 賬號,去檢視提交漏洞人員(可能是釣魚攻擊者)的 Linkedin 賬號資訊時,攻擊者也能檢視到交易所工作人員的資訊,從而獲取其社交平臺的其他資訊。”
近幾年,數字貨幣市場的資金量呈現井噴式爆發,以交易市場操縱風險、交易平臺風險、詐騙風險、錢包風險為主的安全風險屢見不鮮。
除了上述的郵件釣魚攻擊外,其他型別的釣魚攻擊包括域名釣魚(使用與官網相似的網址)、Twitter 1 for 10(支付0.5-10ETH返利5-100ETH)、假APP和假工作人員等。
所謂“釣魚攻擊”,指的是攻擊者偽裝成可以信任的人或機構,透過電子郵件、通訊軟體、社交媒體等方式,以獲取收件人的使用者名稱、密碼、私鑰等私密資訊。
海賊王認為,此次郵件釣魚攻擊事件中,部分交易所之所以上當受騙,主要由於交易所缺少專業的安全漏洞判斷能力,資訊孤立導致其無法對當前漏洞的整體情況作出準確判斷。他說,
“對於交易所來說,不管對方是不是真的發現了漏洞,只要價格合適,都願意花錢賭一把。如果賭對了,那麼交易所就能少一次被曝光漏洞的公關危機,或少一次平臺被攻擊的可能;如果賭虧了,虧的也不多,可以承受。騙子就是利用了交易所的這種心理。”
對於初次遭遇釣魚攻擊的交易所,他建議,
“首先,不要一激動就開啟攻擊者傳送的內容裡面的任何連結或者檔案,可能有木馬病毒;其次,在攻擊者沒有確切告知漏洞細節之前,不要轉給攻擊者BTC;最後,如果有交易所無法準確判斷和獨自處理,可以聯絡安全公司協助處理。 ”
附(釣魚郵件原文):
It's more like an vulnerability which allows an attacker to crash the webserver of the following website. "Integer -overflow" related. The attack vector itself holds a huge security risk, when exploited, the webserver could crash due to it, and eventually be unreachable. The flaw has been done through exploitable web elements on your website.
Our proposal is based on information-security (infosec) regarding cybersecurity.
Confidentiality: assist infosec wisely to implement firewalls, intrusion detectors and prevention technologies to ensure reliable provided service. (not actual server access required.)
Availability: In order to ensure that I would have infosecurity on redundancy and backups, when/if one of the servers is down, the second server would replace it and ensure that the services are up and running without any downtime.
General knowledge => This type of attack as demonstraded are based on exploiting website elements: these can include forms, direct webserver exploit, or DNS leaking for the actual backend server, which gives an malicious attacker multiple chances to work with.
We'd address the required knowledge needed to counter this type of threats.
These following items listed below are our main focuses what we will send reports to regarding, next to every "to be addressed" phase;
We have added in a short meaning on what does it include as can be seen.
• The audit process 1.1 Audit planning & preparation 1.2 Establishing audit objectives 1.3 Performing the review 1.4 Issuing the review report
• The audit System 2.1 Networking Security 2.2 Backend Installation / Security 2.3 API Audition 2.4 CDN + Anti malicious attacks protection 2.5 Code Audit: checking vulnerability in any PHP / ASP / JS code
Vouches by companies:
[Make sure to check the provided link for vouch.]
1. KuCoin => { https://i.imgur.com/y0AXMCn.jpg ]
2. CoinSwitch => https://i.imgur.com/l8D8g9p.jpg ]
CoinSwitch Contract example => https://i.imgur.com/P2hMNxD.jpg
3. Phantasma => https://i.imgur.com/y1QCOuL.jpg ]
4. PlatonFinance => https://i.imgur.com/189Ejdz.jpg ]
5. Vulnerability Analysis (just an example)
=>https://i.imgur.com/V0C19KZ.jpg
and many more.
6. STEX Exchange paid 3 BTC for our infosec and analysis: => https://m.imgur.com/18tAXah
7. Proof of Kucoin Payment to us:https://i.imgur.com/trBbVKP.jpg
8. XCOYNZ Project:https://i.imgur.com/UbUliaI.jpg
Proof of compensations: Different companies which some included be seen in multiple vouches above, have rewarded me almost total of [$ 102,783.91 USD on 01/03/2019 rate for security related bounties, cybersecurity, demonstrations, and different VA reports.
Blockchain URL: =>https://www.blockchain.com/btc/address/3GQQt2zJnPAWvirym7pbwvNTeM5igGuKxy
Pricing for the Infosec/Audit offered: => 2 BTC
To make it clear the price will be one-time payment and afterwards there won't be any charge. You can consult us further at anytime.
