These mass Internet scanning campaigns have been recently picked up by various honeypots installed by security researchers across the Internet.
The first of these, aimed at Bitcoin owners, was picked up by security researcher Didier Stevens over the weekend, just two days before Bitcoin was about to jump from $7,000 to over $8,000.
Stevens' honeypot detected a bot that was searching server paths for file names specific to Bitcoin wallet apps. Stevens, who posted his findings on the SANS ISC InfoSec Forums, says he recorded scans for the following file types:
"I've seen a couple of such requests a couple of years ago, but it's the first time I see that many," Stevens said, impressed by the scale of the scan. "The first time I observed this was late 2013, in the middle of the first big BTC price rally."
With Bitcoin's price going from $200 two years ago to nearly $8,200 today, readers should expect crooks to continue to scan the Internet for Bitcoin wallet archives accidentally left online. Access to such archives will allow crooks access to victims' funds.
But Bitcoin isn't the only cryptocurrency riding high these days. Ether is the other, and since the start of November, crooks have started looking for Ethereum wallet clients that are accessible over the Internet.
Brought to Bleeping Computer's attention today by security researcher Dimitrios Slamaris, crooks are engaged in a mass scan campaign that makes blind requests to the JSON-RPC interface of Ethereum nodes.
This interface is a programmatic API for Ethereum clients that should be, in theory, only exposed locally. The reason is that this interface does not support authentication. Wallet apps installed on the user's computer can make calls to this Ethereum client to move and manage funds.
If the user's computer is connected online, an attacker can also make requests to this JSON-RPC interface and issue commands to move funds to an attacker's wallet, Slamaris told Bleeping Computer today in a private conversation.
Earlier this month, Slamaris tracked one campaign during which one crook appears to have been successful in stealing 8 Ethers (around $3,200 today) from some accounts earlier this month.
Bot trying to steal Ethers from my honeypot, after enumerating "my" accounts, getting the balance and m client version! pic.twitter.com/8x9JBHs2aD— Dimitrios Slamaris (@dim0x69) November 7, 2017
Users and organizations that are running Ethereum nodes that necessarily need to have Internet access should make sure they disable the JSON-RPC interface's inbound queries or proxy requests via an intermediary server to filter only approved clients.