Replies: 2 comments 1 reply
-
Hi again @tsutsu, In addition to the other comments we left on the issue you've opened, which itself refers to this discussion: Upon review, we simply can't resist emphasizing how strongly we feel that our team & the Covalent team could work out long-running arrangements for processing this data, even refining a pipeline for the complete task, with the goal being to standardize it as adequately as possible. Eventually we hope to produce a viable model for the Web3 security community and open source communities to make extensive use thereof. We are eager to share our ideas & thoughts on these topics. For context - we specialize in hunting these phish kits, drainer kits, and all variety of MaaS-style threats, and we keep an extensive collection and ever-growing, wide variety of samples that we obtain. Each sample is saved with as much detail as possible, while remaining relevant, and we keep this store of data classified by the threat actor, in both the obfuscated and de-obfuscated forms (meaning the kit source itself) Lastly, we believe we could assist your in rapid-discovery of these threats -- potentially to a significant desgree. If you like, please feel free to go ahead and reach out to us by email -- [email protected] Thankyou :) |
Beta Was this translation helpful? Give feedback.
-
Moved to #12129 |
Beta Was this translation helpful? Give feedback.
-
Hi, we (@covalenthq) recently performed a scan of our userbase to find users who were acting in the commission of crypto-drainer phishing scams. This is possible for us, because some of the crypto-drainer software libraries appear to integrate directly with our API, in such a way that each scam operator needs to register an account with our service to receive an API key, to plug into the library.
In our first scan, we have found a large number of such users, where each such user had many (100+) domains that API requests to us were coming from, with most of them being clear typosquatting phishing domains; and others being "made up" phishing domains (e.g. purported airdrops for tokens that aren't actually doing an official airdrop.) In total, we collected a dump of 4594 suspicious domains.
From spot-checks, very few of these domains are already flagged by Metamask (or by Chrome's safe-browsing list); though, given the historical nature of this data, many of these domains are just plain gone, presumably because the scam has run its course. (The data is all from the last year, however, so the domains are likely still owned by the scammers, and may be reactivated at any time.)
The emphasis should be on the "suspicious" part, though — we don't have time to go through 4.6k domains to individually flag what they're doing, so we can't say with 100% certainty that every domain in this list is a phishing scam. Spot checks using sandboxed browsers with zero-balance Metamask accounts have revealed that many of these domains are clearly just facades for crypto-drainer malware; but the purpose of other domains is less clear, with us unable to trigger any kind of malware activity through our limited probing.
Nevertheless, these more-opaque domains were all operated by the same users who operate the more-flagrant crypto-drainer domains, so I would have to assume that these other domains are equally malicious, just in some more subtle way.
Would it be acceptable for us to submit this dump of domains directly? Would someone here be willing to triage it?
Also, we will likely find more such malicious users, and therefore more batches of phishing domains, going forward. What would be a best practice for submitting (potentially large) batches of new domains as we discover them?
Beta Was this translation helpful? Give feedback.
All reactions