Google and Twitter ads are promoting sites containing a cryptocurrency drainer named 'MS Drainer' that has already stolen $59 million from 63,210 victims over the past nine months.
According to blockchain threat analysts at ScamSniffer, they discovered over ten thousand phishing websites using the drainer from March 2023 to today, with spikes in the activity observed in May, June, and November.
A drainer is a malicious smart contract or, in this case, a complete phishing suite designed to drain funds from a user's cryptocurrency wallet without their consent.
Users are taken to a legitimate-appearing phishing website and tricked into approving malicious contracts, allowing the drainer to automatically perform unauthorized transactions and transfer the victim's money to the attacker's wallet address.
The source code for MS Drainer is sold to cybercriminals for $1,500 by a user named 'Pakulichev' or 'PhishLab,' who also charges a 20% fee on any funds stolen with the toolkit.
According to blockchain data on MS Drainer's activity, one of its Ethereum-chain victims lost $24 million worth of cryptocurrency, while other notable cases involve victims losing between $440,000 and $1.2 million.
In Google Search, MS Drainer is promoted via malicious ads that are shown for keywords related to DeFi platforms like Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant.
Many of those ads exploit Google Ads' tracking template loophole to make the URL appear as belonging to the spoofed project's official domain.
A redirection takes those who click to a phishing site.
On X, better known as Twitter, advertisements for MS Drainer are so abundant that ScamSniffer reports they account for six out of nine phishing ads on their feed.
Security researcher MalwareHunterTeam, who has been tracking similar ads, told BleepingComputer they believe the Twitter account holders may have been infected with malware that stole their authentication cookies or passwords, allowing the threat actors to create advertisements from the hacked accounts.
Strangely, the researcher spoke to an X account advertising a cryptocurrency scam and was told that there was no trace of the ads in their advertising accounts.
The ads also promoted NFT airdrops and new token launches on sites that contain the drainer.
ScamSniffer says one detection bypass method employed by these ads is geofencing, which only targets users from pre-defined regions and redirects the rest to legitimate/innocuous websites.
Cryptocurrency scams have always performed well on X, but with trustworthy, hacked accounts now displaying advertisements promoting malicious sites, we should expect to see these types of attacks become even more successful.
Users should be very cautious when seeing cryptocurrency-related ads and perform due diligence before signing up to new platforms, let alone connecting their wallets.
Fraudsters make $50,000 a day by spoofing crypto researchers.
Crypto scammers abuse Twitter 'feature' to impersonate high-profile accounts.
WordPress hosting service Kinsta targeted by Google phishing ads.
Bloomberg Crypto X account snafu leads to Discord phishing attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 21 Dec 2023 21:25:20 +0000