There’s Some Intense Web Scans Going on for Bitcoin and Ethereum Wallets

Read Time2 Minute, 10 Second

With both Bitcoin and Ethereum price hitting all-time highs in the past seven days, cyber-criminals have stepped up efforts to search and steal funds stored in these two cryptocurrencies.

These mass Internet scanning campaigns have been recently picked up by various honeypots installed by security researchers across the Internet.

Scans for Bitcoin wallet archives

The first of these, aimed at Bitcoin owners, was picked up by security researcher Didier Stevens over the weekend, just two days before Bitcoin was about to jump from $7,000 to over $8,000.

Stevens’ honeypot detected a bot that was searching server paths for file names specific to Bitcoin wallet apps. Stevens, who posted his findings on the SANS ISC InfoSec Forums, says he recorded scans for the following file types:

wallet – Copy.dat
wallet.dat
wallet.dat.1
wallet.dat.zip
wallet.tar
wallet.tar.gz
wallet.zip
wallet_backup.dat
wallet_backup.dat.1
wallet_backup.dat.zip
wallet_backup.zip

« I’ve seen a couple of such requests a couple of years ago, but it’s the first time I see that many, » Stevens said, impressed by the scale of the scan. « The first time I observed this was late 2013, in the middle of the first big BTC price rally. »

With Bitcoin’s price going from $200 two years ago to nearly $8,200 today, readers should expect crooks to continue to scan the Internet for Bitcoin wallet archives accidentally left online. Access to such archives will allow crooks access to victims’ funds.

Scans for Ethereum JSON RPC endpoints are also going on

But Bitcoin isn’t the only cryptocurrency riding high these days. Ether is the other, and since the start of November, crooks have started looking for Ethereum wallet clients that are accessible over the Internet.

Brought to Bleeping Computer‘s attention today by security researcher Dimitrios Slamaris, crooks are engaged in a mass scan campaign that makes blind requests to the JSON-RPC interface of Ethereum nodes.

This interface is a programmatic API for Ethereum clients that should be, in theory, only exposed locally. The reason is that this interface does not support authentication. Wallet apps installed on the user’s computer can make calls to this Ethereum client to move and manage funds.

If the user’s computer is connected online, an attacker can also make requests to this JSON-RPC interface and issue commands to move funds to an attacker’s wallet, Slamaris told Bleeping Computer today in a private conversation.

To read the original article: https://www.bleepingcomputer.com/news/security/theres-some-intense-web-scans-going-on-for-bitcoin-and-ethereum-wallets/