Scan for Bitcoin wallet files

With both Bitcoin and Ethereum price hitting all-time highs in the past seven days, cyber-criminals have stepped up efforts to search and steal funds stored in these two cryptocurrencies.

These mass Internet scanning campaigns have been recently picked up by various honeypots installed by security researchers across the Internet.

Scans for Bitcoin wallet archives

The first of these, aimed at Bitcoin owners, was picked up by security researcher Didier Stevens over the weekend, just two days before Bitcoin was about to jump from $7,000 to over $8,000.

Stevens' honeypot detected a bot that was searching server paths for file names specific to Bitcoin wallet apps. Stevens, who posted his findings on the SANS ISC InfoSec Forums, says he recorded scans for the following file types:

wallet - Copy.dat
wallet.dat
wallet.dat.1
wallet.dat.zip
wallet.tar
wallet.tar.gz
wallet.zip
wallet_backup.dat
wallet_backup.dat.1
wallet_backup.dat.zip
wallet_backup.zip

"I've seen a couple of such requests a couple of years ago, but it's the first time I see that many," Stevens said, impressed by the scale of the scan. "The first time I observed this was late 2013, in the middle of the first big BTC price rally."

With Bitcoin's price going from $200 two years ago to nearly $8,200 today, readers should expect crooks to continue to scan the Internet for Bitcoin wallet archives accidentally left online. Access to such archives will allow crooks access to victims' funds.

Scans for Ethereum JSON RPC endpoints are also going on

But Bitcoin isn't the only cryptocurrency riding high these days. Ether is the other, and since the start of November, crooks have started looking for Ethereum wallet clients that are accessible over the Internet.

Brought to Bleeping Computer's attention today by security researcher Dimitrios Slamaris, crooks are engaged in a mass scan campaign that makes blind requests to the JSON-RPC interface of Ethereum nodes.

This interface is a programmatic API for Ethereum clients that should be, in theory, only exposed locally. The reason is that this interface does not support authentication. Wallet apps installed on the user's computer can make calls to this Ethereum client to move and manage funds.

If the user's computer is connected online, an attacker can also make requests to this JSON-RPC interface and issue commands to move funds to an attacker's wallet, Slamaris told Bleeping Computer today in a private conversation.

Earlier this month, Slamaris tracked one campaign during which one crook appears to have been successful in stealing 8 Ethers (around $3,200 today) from some accounts earlier this month.

Scans have continued since the first campaign. Slamaris and SANS Internet Storm Center expert Johannes Ullrich documented a second campaign that took place this week [1, 2].

Users and organizations that are running Ethereum nodes that necessarily need to have Internet access should make sure they disable the JSON-RPC interface's inbound queries or proxy requests via an intermediary server to filter only approved clients.

Related Articles:

Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day

Make-A-Wish Website Compromised for Cryptojacking Operation

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Mac CryptoCurrency Price Tracker Caught Installing Backdoors

The Few Privileged North Koreans Are Savvy Scammers