Insights From a Crypto Wallet Phishing Attack

In the early hours of April 14, multiple users of the rewards-earning cryptocurrency platform Celsius Networks started reporting a suspicious email that they received.

The email appeared to be a legitimate one coming from Celsius and announced the launch of the anticipated “Celsius Web Wallet”, along with an offer of $500 in CEL to users who followed a promo link.

The email (which you can see below) presented no indication of being fake and was indistinguishable from a plausible launch campaign by the company.

Source: Twitter

However, as some attentive users soon realized, the link led them to celsiuswallet.network instead of the official company domain, celsius.network. This was a clear indication that something was not right, as Celsius has for long made it clear that the company does not use any other official domain.

Unfortunately, since the destination page looked like a legitimate company page, several users went ahead in their attempt to claim the offer, submitting sensitive information. Soon after, reports started appearing of users who claimed to have lost their crypto balance, and many more who said they received the phishing email and even SMS messages all linking to the same fraudulent page.Celsius diligently kept on top of the incident, warning users about the scam email and advising on what they should do to remain secure. The company disclosed that its security team identified a data leak on a third-party service containing some of its users’ data, which is likely how the scammers gained access to valid emails and phone numbers.

This attack posed several important questions:

• What does the code of the fraudulent page look like and what does it do?

• What type of preventive measures can companies put in place to avoid these scam copycat pages?

• What does this incident say about third-party management?
  
  

Because our research team is actively engaged in uncovering details about these types of attacks, they were able to analyze the complete source code of the scam page. In this blog post, we will go over some key insights as to who may be behind the attack, how the attack worked, and how similar companies are at risk of losing user data to web supply chain attacks.

For long, we have been seeing a trend where phishing attacks are getting more sophisticated. Scammers are doing a thorough job in writing seemingly official company emails and enticing users to submit valuable information on a scam page.

This incident with Celsius is especially interesting because the scammers leveraged users’ latent expectations of a web wallet launch. Not only that, but they managed to create a scam page that looks like a perfectly believable company page—it uses design elements that are identical to those of the official page and follows a similar structure, with no discernible suspicious elements on the page itself, at least at a first glance. In other words, a pristine copycat.

In order to analyze how this copycat was built and what it does, our research team went through its source code. We found a complete visual replica of the Celsius website assets together with a testjs.js file which the attackers used to load fancybox (a lib that enables additional page customization) features. Although the scammers copied the assets perfectly, they kept themselves from using the same CMS used by Celsius and instead copied the main page from the official website adapting to their needs.

Inside this testjs.js file, we found some interesting comments written in Portuguese, which hints that the attackers may be of a Portuguese-speaking country (Portugal, Brazil, Angola, etc.)

Looking at the HTML files, we also found evidence that the code was copied without much care. Namely, we found comments that are specific to Celsius CMS. Since the attackers did not use the same CMS, it would not make sense to have this on the HTML body, so they probably forgot/didn’t care to remove it.

Regarding what happens on the scam page when a user clicks the “Web Wallet” button to claim the (alleged) offer, we see a fancybox pop-up appear asking the user which wallet they want to connect to. The behavior afterward is always the same: the user inserts the details of their wallet and, after clicking on “Import Wallet”, the page says it had a problem connecting to the wallet of choice. Here, it’s important to note that, during our research, this behavior occurred when we provided fake wallet information, so it’s possible it could be different when a user provided a real wallet.

Upon pressing the “Import Wallet” button, the wallet details the customer introduced are parsed by the space.js script. Curiously, we found that space.js was actually the only file that had been obfuscated by attackers, which led us to believe that the file could contain some more useful information on the attack.

We deobfuscated the script, and the resulting code shows us that the attackers used at least 3 domains in their skimming campaign: celsiuswebwallet.network, celsiuswallet.network and walletweb.xyz (the corresponding websites are already offline, at the time of writing). The .xyz domain was registered on Nov 25th 2020, and the other domains on the 31st of March 2021. These dates may hint that the attacker was already working on the MO website in November last year, but only very recently adapted the website to the Celsius look and feel. The attacker will probably try to reuse the same codebase in other similar phishing attacks in the future.

We also noticed the usage of several anti-debugging and anti-tampering techniques (shown below), and the usage of EmulateTab API to focus victims' cursor and attention on the form.

Anti-debugging technique found on the deobfuscated code.

Anti-tampering technique found on the deobfuscated code.

Another snippet of the deobfuscated code.

Finally, after being parsed by space.js, the data was sent to the process.php file (request shown below) to be processed by the attackers. At this point, the attackers can do whatever they want with the collected data.

After analyzing the flow of the whole scam, several signs point out that this was performed by attackers with some experience in this type of attack. They meticulously chose a domain that was similar to Celsius’ and were able to create a credible email and copycat page. Plus, since there’s some degree of sophistication required to use leaked customer emails as part of the campaign, and because we found a reference to an advertising domain called adsymptotic.com, this might indicate that the attack was a result of collaboration between groups and/or individual attackers, perhaps part of a larger ongoing phishing campaign.

Considering all the files of the scam page that we analyzed, we conclude that the JavaScript source code of the scam page is actually quite distinct from the source code of the official Celsius page. It appears that they did indeed copy/mimicked the HTML and CSS source code but did not copy any of the JavaScript logic of Celsius’ platform.

However, this is not always the case. If attackers for some reason choose to copy the entire source code, there are some preventive measures that can raise the cost of creating the copycat page. For one, protecting the website source code with runtime defenses will make it much more difficult for attackers to retrieve the source code. These runtime defenses not only prevent the usage of debuggers but also derail execution if the protected code is changed (which would be the case when attackers want to create a new scam landing page). Additionally, it’s possible to protect this same source code with domain locks that, when coupled with real-time notifications, trigger a critical security warning when someone attempts to run the code outside of the official company domain.

These, of course, are not foolproof measures, as it’s technically impossible to ensure that a website’s source code can’t be retrieved or reused by attackers. But the key takeaway here is that these security controls can vastly increase the cost of the attack to the point where scammers are more likely to move on to other targets.

As disclosed by Celsius, “an unauthorized party managed to gain access to a third-party email distribution system to send a phishing communication through email and SMS to some Celsius customers and others”. This clearly pinpoints the origin of the leaked data to a compromised third-party—in other words, a supply chain attack.

As discussed before, our discovery of a reference to the adsymptotic.com domain appears to indicate that this might be part of a bigger phishing campaign. As such, this attack may be replicated on similar crypto wallets (Nexo, BlockFi, Compound, Crypto.com), especially if the payoff of the Celsius incident keeps growing.

To be successful, though, the attack would require gaining access to legitimate emails and phone numbers of those platforms’ users. Similar to how attackers achieved this, in the Celsius incident, by leaking data from a third-party email service, they could next turn to web supply chain attacks—a typical weak link in companies' websites.

By infiltrating one of these websites’ third-party script providers (such as a chatbot or an analytics service), attackers would be able to run malicious code on the website itself, covertly collecting fresh batches of user emails and phone numbers. Rinse and repeat.

The huge issue of (in)security in the web supply chain derives from the fact that, within the context of a web page, all scripts have the same privilege, regardless of whether they are first- or third-party.

As a result, any third-party script can:

• Harvest any user input;

• Add extra code;

• Hijack events;

• Fully modify the behavior of the web page, tricking users into doing actions against their own interest;

• Tamper with other code in the same scope.

• Contact any external domain and exfiltrate data.
  
  

All of these events can happen without any awareness from the user and the website owner. As a result, when a third-party script gets compromised, the attack typically remains undetected for weeks or even months, giving attackers plenty of time to exfiltrate valuable user data.

Celsius already made it clear that the company will take action to ensure strict third-party management, stating that they “will raise the bar on what we require from third parties in terms of ISO and SOC certifications.”

It’s critical that companies go the extra mile here, meticulously vetting third-party scripts and implementing security measures that give them visibility and control of these third-party scripts.

To the unsuspecting eye, the Celsius attack might seem like any other phishing scam. However, as our research found, this is a prime example of a pristine copycat page being leveraged to trick users and eventually steal their crypto balance. The evidence we found also points out that this could be part of an ongoing phishing campaign with additional targets.

Jscrambler researchers have actively been investigating these types of attacks and working closely with companies to help them gain visibility and control of their third parties. With cryptocurrencies displaying such a huge momentum, all crypto platforms must step up their security, employing a defense-in-depth approach with effective client-side security controls.

And while users can’t effectively guarantee the security of their data all by themselves, we strongly suggest that Celsius users follow all the recommendations sent by the company. Seeing how phone numbers were also compromised, we advise Celsius users to be aware of scams like SIM swapping, which can compromise SMS-based 2FA.

As for users of similar crypto wallets, we strongly advise reviewing their account security measures (enforce 2FA, use strong passwords and update them regularly), being extra cautious in clicking links only from official domains, and closely following the official company channels.

With the cryptocurrency market fully bullish, the upside of successful attacks is far too appealing for attackers. They already have the code developed and can rapidly pivot to new sites. We should expect more of these pristine phishing scams in the future.