Summer of Scammers: PancakeSwap cryptocurrency thieves

-

 

Cryptocurrency is experiencing a huge boom. With this explosion in popularity, and people getting rich quick, come the cybercriminals looking to exploit this new technology. Unfortunately, while there may be a large amount of money to be made from cryptocurrecny there are very little controls or regulations preventing scams. Unlike other centralised financial services, such as banks, cryptocurrency users are only as protected as their own personal operational security (OPSEC). While there are long guides on OPSEC for cryptocurrency users, many new users are lacking here and do not use a strong password or two-factor authentication (2FA). This makes them sitting ducks for cybercriminals. This blog will detail how users of a relatively new platform, PancakeSwap, are being highly targeted. 

In their own words "PancakeSwap is the leading decentralized exchange on Binance Smart Chain, with the highest trading volumes in the market". Despite its comical name, PancakeSwap is no joke. The platform launched in September 2020 by its two co-founders Hops and Thumper (consistent with the rabbit theme). As a platform that regularly clocks in over $100 million in 24-hour trading volume, it is one of the most popular decentalized finance (DeFi) apps of all time. Much like Bitcoin, the team behind PancakeSwap is completely anonymous and does not have a helpdesk or any kind of customer support. [1, 2, 3]

Although I am not a PancakeSwap user, I was first alerted to these scams after being targeted myself via Twitter DMs. A scammer, posing as the official @PancakeSwap Twitter account, replied to a Tweet of mine and said to DM them about some made up "technical issue". I decided to explore what the angle of this social engineering attack was. The scammer tried to get me to visit a malicious site (archived here) that posed as WalletConnect. The service is legitimate but can be used to hijack a user's cryptocurrency wallet if the authentication code is given away.

Fig. 1 - Twitter DMs from the PancakeSwap scammer

Fig. 2 - WalletConnect phishing page hosted on NameCheap

After this I visited the scammers accounts and could view their tweets and replies to see who else they have targeted and could see hundreds of other threads the attackers had replied to.

Fig. 3 - Fake PancakeSwap Twitter accounts replying to random threads on Twitter

As a security researcher that looks at this stuff daily, I knew there was going to be more and was naturally inclined to pivot to find new accounts. I was curious to see just how many of these scammers there were. This led me to uncover an additional 24 Twitter accounts posing as PancakeSwap:

https://twitter.com/pancakeswapsup1 https://twitter.com/pancakeswapsu11 https://twitter.com/AptPancakeSSwap
https://twitter.com/Pancakeswapex https://twitter.com/pancakeswap_ats https://twitter.com/Smartchain_Bsc
https://twitter.com/AtsPancakeSwap https://twitter.com/aptpancakeswapp https://twitter.com/pancake_swap_
https://twitter.com/PancakeSPT_ https://twitter.com/Ast_pancakeswap https://twitter.com/agt_pancakeswap
https://twitter.com/PancakeSwapHelp https://twitter.com/seleret https://twitter.com/pancakeswapliv
https://twitter.com/PancakeSwpp https://twitter.com/BSCpancake1 https://twitter.com/Pancakeswap_Hlp
https://twitter.com/pancakeeswapp https://twitter.com/PancakeSwapBSCC https://twitter.com/pancakeswapaid
https://twitter.com/pancakeswapi https://twitter.com/pancakeswaphelp https://twitter.com/Pancakehelpline

Twitter was also not the only source of attacks. Although Twitter is a huge social media platform for cryptocurrency users, the users of other sites and apps such as Telegram and Reddit are also prone to being targeted this way.

Fig. 3 - Scammers targeting users on Telegram (Left) and Reddit (Right)

Tracking WalletConnect phishing proved difficult as I figured out quickly that these types of phishing pages are used to target many different types of cryptocurrency, not just PancakeSwap. However, in Fig. 3, in the Telegram attack, I noticed the scammers had registered a PancakeSwap typosquatting domain. The real domain pancakeswap.finance is being impersonated by adding a "v2" to the front of it. This subtle addition is used to hopefully trick an unsuspecting user into visiting the site and eventually handing over access to their wallets to the scammer.

Using the Certificate Stream (see here) I decided to check just how many PancakeSwap-themed typosquatting domains there are and uncovered hundreds. For a service that only appeared in September 2020, I found there are a high number of malicious domains impersonating it. The findings also show that Summer 2021 has been a boom for the scammers, registered hundreds of domains in June, July, and August.

Fig. 4 - PanakeSwap-themed domains registered per month since launch

Fig. 5 - PancakeSwap-themed domains registered per day since launch

Fig. 6 - Share of which web hosts have the highest percentage of the PancakeSwap-themed domains

In theory, taking down such scams is simple. Twitter has a built-in reporting feature that allows anyone to report an account. I was able to report some PancakeSwap accounts and, to Twitter's credit, they were eventually taken down.

Fig. 7 - Successful takedown requests against PancakeSwap-themed accounts actively scamming

To PancakeSwap's credit, their Telegram channel has a bot which reminds users about scams multiple times a day. Although this may be more indicative of how users struggle to keep themselves secure while using the service, or how limited the security features are in the service is, it is nonetheless obviously clear that there are a lot of scammers targeting its users.

Fig. 8 - Scam warning bot in the official PancakeSwap Telegram channel.

For cryptocurrency users, this issue is not going away. Cryptocurrency has become one of the most targeted verticals inside one of the most targeted sectors: finance. Cryptocurrency users are a soft target for cybercriminals. Stealing and laundering funds from cryptocurrency wallets is simpler than from a traditional bank account. Cryptocurrency wallets are not monitored or protected by anti-fraud protection and it is down to the user to add 2FA and use a strong password, whereas with a bank this is mandatory more often than not. 

The PancakeSwap scammers are using the same tactics, techniques, and procedures (TTPs) that I have seen in other scams, such as SMS phishing targeting UK mobile carriers and UK banks. This includes registering a large amount of typosquatting domains via registrars such as OVH SAS and NameCheap, who constantly allow cybercriminals to register many typosquatting domains in bulk and seem not to care what the domains are used for. 

Lastly, Twitter Security also need to step up here. The issue with Twitter is that anyone can create accounts for free as many times as they want. Twitter should know by now that their platform is rife with cryptocurrency scammers and should implement stronger protections to stop them creating so many accounts so quickly. Although there is no panacea to stop these scammers, as Twitter is one of the biggest sources of these attacks they could make their life harder by enforcing stricter account creation rules. For example, creating a Twitter handle with a known brand, such as "PancakeSwap", followed by "help" or "support" should be an instant red flag in my eyes.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more