Bitcoin scammers phish for wallet recovery codes on Twitter

We’re no strangers to the Twitter customer support DM slide scam. This is where someone watches an organisation perform customer support on Twitter, and injects themselves into the conversation at opportune moments hoping potential victims don’t notice. This is aided by imitation accounts modelled to look like the genuine organisation’s account. The victim is typically sent to a phishing page where accounts, payment details, identities, or other things can be stolen.

We first observed the technique used on gamers back in 2014, and it eventually branched out into bank phishing. This time around, it’s being used to bag bitcoin. Shall we take a look?

Emptying your wallet

Trust Wallet is an app used to send, receive, and store Bitcoin along with other cryptocurrencies, including NFTs. With cryptocurrency being so very mainstream at the moment, it’s only natural lots of people are jumping on the bandwagon. Even those who know what they’re doing often run into trouble. I suspect the newcomers to the field are experiencing all manner of issues daily. This is a perfect storm of confused users and scammers lying in wait.

Take note of what the official TrustWalletApp account says, in relation to keeping your coins safe:

They are emphatic about keeping the recovery phrase safe. This is a method to regain access to a wallet, made up of 12 words. Whoever possesses the phrase, holds the keys to the kingdom (or at least, your wallet). If your coins have a lot of value attached, it would clearly be disastrous to lose access.

This is where our tale begins in earnest, in the replies to that tweet.

Oh no, my coins!

An individual claims they had their coins stolen, but managed to regain them.

wallet phishing1 600x279 1

Thank God I finally got all my stolen coin and money back!

I can now rest my head.

So far, so good. Further down, however, it all goes a bit wrong. Just a few replies down, they say this:

I lost all my money and coins my wallet last week, until I contacted their support page and they helped me rectify and resolved it, I think if you have any of this problem you should write to them too at [URL removed]

The link (powered by a DIY survey creator, where anybody can make whatever batch of questions they want) does exactly what TrustWalletApp says not to do: asks for the 12 word recovery phrase.

wallet phishing7 600x560 1
A fake support form on a popular survey site asks users to break “The first rule of Crypto”
wallet phishing5 600x519 1
A fake support form in a Google Doc asks users to break “The first rule of Crypto”

A swarm of bad tidings

The scam isn’t being spread by just one account, nor is there just one bogus support form. Multiple Twitter profiles lurk in the replies of anyone having a bad cryptocoin experience. One even claims to be the “Trust Wallet Team”, and does nothing but spam links to a Google Doc. The accounts are most likely set up to autorespond to anybody sending messages to the TrustWalletApp account, especially if it looks like they need assistance. No fewer than 19 responses were sent in one day from one account, and given the ever-fluctuating cryptocurrency values, just one bite could result in a decently-sized payday for the scammers.

wallet phishing2 397x600 1
Scammers attempt to lure struggling cryptocoin owners into breaking the “First rule of Crypto”

This is a low maintenance attack, which brings potentially high gains. It’s very common, to the extent that one of the accounts sending bogus Google Doc links does so to the person, or bot, we originally saw firing out bad links!

What can you do to keep your coins secure?

This isn’t just imitation organisation accounts dropping themselves into support chats. We also have lots of random, non-imitation accounts trying the same tactic. As a result, “regular account” doesn’t necessarily mean they’re being helpful. The kindness of strangers is often very helpful, but never take anything for granted. Cryptocurrency is in a bit of a modern-day gold rush at the moment, and people will do absolutely anything to get their hands on it.

Legitimate companies are unlikely to be performing technical support via Google Docs or survey sites, so avoid links that attempt to do that. Most importantly though, as per the Trust Wallet team themselves: never send anybody your 12 word recovery phrase. Not even Trust Wallet. Ever.

Passwords, pass codes, pass phrases, pass-whatevers are meant to be secrets, and they aren’t secrets if you tell somebody else. No company worth bothering with will ever ask for your password so don’t give them out. It’s the surest way imaginable to lose control of an account. And, because of the way that cryptocurrencies work, once the scammers have your wallet, it’s theirs. You almost certainly won’t be able to recover it.

That’s one promise you can take to the crypto-bank.

The post Bitcoin scammers phish for wallet recovery codes on Twitter appeared first on Malwarebytes Labs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source