Hackers hunting for open cryptocurrency wallets, scanning computers worldwide
Large-scale internet scanning campaigns have been intercepted by security researcher Didier Stevens. The so-called honeypot, a mechanism designed by Stevens to detect, deflect, or counteract unauthorized attempts to use information systems, managed to pick up a bot searching for files containing cryptocurrency wallets.
“I've seen a couple of such requests a couple of years ago, but it's the first time I see that many. The first time I observed this was late 2013, in the middle of the first big BTC (bitcoin) price rally,” Stevens said, as quoted by Global Crypto Press, which focuses on cryptocurrency and tech news.
The researcher posted the findings on the forum of US-based SANS Technology Institute. The filenames included wallet - Copy.dat, wallet.dat, wallet.dat.1, wallet.dat.zip, wallet.tar, wallet.tar.gz, wallet.zip, wallet_backup.dat, wallet_backup.dat.1, wallet_backup.dat.zip, wallet_backup.zip.
Hackers are reportedly looking for bitcoin wallet archives, which were accidentally left online. Access to the archives provides access to the funds stalled in the digital currency. The price for one bitcoin token is currently hovering around $10,000, which is stirring up interest among cybercriminals.
At the same time, Stevens revealed that cyberthieves started searching for ethereum wallet clients that are accessible over the internet.
The network security expert said the number of blind requests to the JSON-RPC interface of ethereum nodes has increased. This interface is a programmatic API (application programming interface) for ethereum clients that should be exposed only locally.
The interface does not support any authentication with wallet apps installed on the users’ computers and can make calls to an ethereum client to move and manage funds.
According to Stevens, criminals can also make requests to this JSON-RPC interface and issue commands to move funds to their wallets if the user's computer is online.
Users that are running ethereum nodes, which require having internet access, should make sure they turn off the JSON-RPC interface's incoming requests or forward them through an intermediary server to filter only approved clients.