Stevens’ honeypot detected a bot that was searching server paths for file names specific to Bitcoin wallet apps. Stevens, who posted his findings on the SANS ISC InfoSec Forums, says he recorded scans for the following file types:
wallet – Copy.dat
wallet.dat
wallet.dat.1
wallet.dat.zip
wallet.tar
wallet.tar.gz
wallet.zip
wallet_backup.dat
wallet_backup.dat.1
wallet_backup.dat.zip
wallet_backup.zip
« I’ve seen a couple of such requests a couple of years ago, but it’s the first time I see that many, » Stevens said, impressed by the scale of the scan. « The first time I observed this was late 2013, in the middle of the first big BTC price rally. »
With Bitcoin’s price going from $200 two years ago to nearly $8,200 today, readers should expect crooks to continue to scan the Internet for Bitcoin wallet archives accidentally left online. Access to such archives will allow crooks access to victims’ funds.
Scans for Ethereum JSON RPC endpoints are also going on
But Bitcoin isn’t the only cryptocurrency riding high these days. Ether is the other, and since the start of November, crooks have started looking for Ethereum wallet clients that are accessible over the Internet.
Brought to Bleeping Computer‘s attention today by security researcher Dimitrios Slamaris, crooks are engaged in a mass scan campaign that makes blind requests to the JSON-RPC interface of Ethereum nodes.
This interface is a programmatic API for Ethereum clients that should be, in theory, only exposed locally. The reason is that this interface does not support authentication. Wallet apps installed on the user’s computer can make calls to this Ethereum client to move and manage funds.
If the user’s computer is connected online, an attacker can also make requests to this JSON-RPC interface and issue commands to move funds to an attacker’s wallet, Slamaris told Bleeping Computer today in a private conversation.