July 21, 2024
China's New Phishing Scheme Targets Cryptocurrency Enthusiasts
Latest Cryptocurrency News

Chinese Hackers Exploit Skype Facade in New Crypto Phishing Scheme

A new phishing scheme has surfaced in China, utilizing a counterfeit Skype video app to target cryptocurrency users. SlowMist, a crypto security analytics firm, reported that the Chinese hackers leveraged the country’s prohibition on international applications as the foundation for their scam, exploiting the tendency of mainland users to seek banned applications through third-party platforms.

Social media platforms like Telegram, WhatsApp, and Skype are commonly sought after by mainland users, making them susceptible to scammers deploying fake, cloned applications embedded with malware designed to compromise crypto wallets.

In their analysis, the SlowMist team identified the fraudulent Skype app, created recently, displaying version 8.87.0.403, whereas the legitimate Skype version is 8.107.0.215. The phishing scheme’s back-end domain, initially posing as the Binance exchange on November 23, 2022, later transformed to mimic a Skype back-end domain on May 23, 2023.

The discovery of the fake Skype app was initiated by a user who suffered substantial financial losses from the scam. The app’s signature indicated tampering, revealing the insertion of malware. Upon decompiling the app, the security team found a modified version of the widely used Android network framework, ‘okhttp3,’ tailored to target crypto users. The altered okhttp3 framework, unlike the default version, fetches images from various phone directories in real-time.

The malicious okhttp3 prompts users to grant access to internal files and images, exploiting the fact that many social media applications routinely request such permissions. Consequently, users often overlook any suspicious activity. Once granted access, the fake Skype app promptly uploads images, device details, user ID, phone number, and other information to the backend. The fake app continuously scans for images and messages featuring Tron and Ether-like address formats, automatically substituting them with pre-set malicious addresses upon detection by the phishing gang.

During SlowMist’s testing, it was observed that the wallet address substitution had ceased with the shutdown of the phishing interface’s backend, no longer delivering malicious addresses. Additionally, the team identified a Tron chain address that received approximately 192,856 Tether by November 8, with 110 transactions made to the address. Simultaneously, an Ethereum chain address received around 7,800 USDT in 10 transactions. In response, the SlowMist team blacklisted all wallet addresses associated with the scam.

Image by freepik

Disclosure Statement: Miami Crypto does not take any external funding, or support to bring crypto news to the readers. We do not have any conflicts of interest while writing news stories on Miami Crypto.

Related posts

Layerswap and ParaSwap: Recent Security Breaches Shake Crypto Users

Harper Hall

ARK Invest’s Strategic Moves: A $210 Million Divestment from Coinbase

Henry Clarke

Man Accused of Crypto Betting on Taiwan’s 2024 Elections

Ashley Wilson

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Please enter CoinGecko Free Api Key to get this plugin works.