Rewterz Threat Update – Crypto Hoarder Uses Twitter Advertisements to Steal $59 Million from 63k Users

Severity

High

Analysis Summary

Google and Twitter ads are actively promoting websites featuring a cryptocurrency drainer known as ‘MS Drainer,’ which has reportedly stolen $59 million from 63,210 victims over the past nine months. Blockchain threat analysts discovered over ten thousand phishing websites utilizing this drainer since March 2023, with increased activity observed in May, June, and November.

The MS Drainer operates as a malicious smart contract or phishing suite, redirecting users to authentic-looking phishing websites where they unwittingly approve malicious contracts. This approval enables the drainer to conduct unauthorized transactions, transferring victims’ funds to the attacker’s wallet address. The source code for MS Drainer is sold to cyber criminals by a user named ‘Pakulichev’ or ‘PhishLab’ for $1,500, with an additional 20% fee on stolen funds. PhishLab also sells extra modules enhancing the malware, priced between $500 and $1,000.

Google Search displays MS Drainer via malicious ads targeting keywords related to DeFi platforms such as Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant. These ads exploit Google Ads’ tracking template loophole, making the URL appear affiliated with the spoofed project’s official domain, ultimately leading to a phishing site upon redirection.

On Twitter, MS Drainer advertisements are prevalent, comprising six out of nine phishing ads on users’ feeds. Remarkably, some of these scam ads are posted from legitimate “verified” accounts with blue tick badges, suggesting a potential compromise of verified accounts.

Security researchers suspect that Twitter account holders may have fallen victim to malware, leading to the theft of authentication cookies or passwords, allowing threat actors to create ads from compromised accounts. Despite these compromised accounts, some account holders claim no knowledge of the ads in their advertising accounts. Various themes are used in the cybercriminals’ Twitter ads, including “Ordinals Bubbles,” promoting a supposedly limited-edition NFT collection. The ads also endorse NFT airdrops and new token launches on sites featuring the drainer.

The researchers note that these ads employ detection bypass methods such as geofencing, targeting users from specific regions, and redirecting others to legitimate websites. Given the increasing sophistication of these attacks, users are urged to exercise caution when encountering cryptocurrency-related ads and thoroughly research platforms before connecting their wallets to mitigate the risk of falling victim to scams.

Impact

• Financial Loss
• Cryptocurrency Theft

Remediation

• Exercise caution when clicking cryptocurrency-related ads.
• Be vigilant and thoroughly research platforms before connecting cryptocurrency wallets.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain up-to-date patches and antivirus software to prevent the exploitation of known vulnerabilities.
• Organizations should conduct regular vulnerability assessments and penetration testing to identify and mitigate potential security weaknesses.
• Implement robust security measures such as two-factor authentication, endpoint detection and response (EDR) tools, and employee security awareness training.