Are you in a state of dilemma of where to store the cryptocurrency you own? Are you wondering if the Jaxx wallet is a correct place to store the cryptocurrency you have bought?
The official Jaxx cryptocurrency wallet has enmeshed in a phishing campaign designed to drain user wallets.
Before we go in depth of Jaxx wallet Phishing campaign, let us get enlightened with Cryptocurrency Wallets.
Cryprocurrency wallets are necessary for trading Bitcoin, or any other digital currency. Before you consider trading in cryptocurrency, you first need to know what cryptocurrency is and how it works.
A crypto currency wallet comprises of two elements- a private key and a public address.
Private Key: In order to access your cryptocurrency wallet, a cryptocurrency holder should own a private key. This key if fallen in wrong hands can lead to the embezzlement of your cryptocurrency wallet.
Public Address: In order to receive cryptocurrency funds, the end users are provided with public address that is generally in the form of text or a QR code.
Owning a cryptocurrency wallet leaves you responsible for the security of your own capital.
Jaxx is a simple tool or say a cryptocurrency wallet that allows individuals and businesses to hold, control and trade blockchain assets like Bitcoin, Litecoin, Ethereum, Monero and a dozen other cryptocurrencies.
It is a popular cryptocurrency wallet owned by Canadian blockchain startup Decentral and enjoys over 1.2 million downloads on both desktop and mobile platforms.
Jaxx wallet has many defining features. These include:
Considering the popularity of this easy-to-use platform, threat actors designed a fraudulent version of the official Jaxx cryptocurrency wallet website that served malicious links. Click on these links directed users to servers controlled by hackers. It was a sheer trick employed by threat actors to deceive users in revealing their wallet credentials and deprive them of their blockchain assets.
The legitimate Jaxx website domain is located at jaxx.io. Scam artists leveraged this simple looking address to develop and launch a fake website with a similar name, jaxx.ws. This spoofed website used CloudFare Content Delivery Network and was a carbon copy of the legitimate Jaxx domain.
This fraudulent domain was in operation from August 19 2018 and primarily targeted Microsoft Windows and macOS users. The masqueraded Jaxx domain allowed the download of legitimate Jaxx wallet software. However the package came with the furtive malware payload in the form of malicious Java Archive (JAR) file and a .NET application that stealthily installed in the background.
The malware contained instructions for the exfiltration of all system files to a command-and-control (C2) server controlled by attackers. This included TXT, DOC and XLS files, the most likely documents for the attackers to search for cryptocurrency wallet addresses.
The malicious payload was distributed in Windows system via .ZIP archive with a malicious .NET binary.
In Mac OS it was distributed via JAR files which when executed, compiled a Russian IDE (integrated development environment) named DevelNext. This indicates that the pernicious infection was based out of Russia.
Moreover, the fraudulent site was known to be hosted by the Russian VPS (Virtual Private Server) provider hostland[.]ru.
When the JAR files were executed a message was displayed that informed users that a new wallet couldn’t be created due to some technical issues. The victims were then re routed to an application screen that requested users for the Jaxx wallet backup phrase, a key requirement for compromising and decrypting the wallet to access the digital funds.
The backup phrase was delivered to the attacker’s web server while the victim was displayed another error message that was a mix of Russian and English-language. The error stated that the Server was not available and that users should try again in 4 hours.
In addition, the execution of the corrupt payload led to the download of additional software: KPOT Stealer and Clipper malware, both of which were based on Russian underground forums.
KPOT Stealer was designed to steal information from hard drives.
Clipper was scripted to monitor clipboard (a data buffer used for short term data storage and/or data transfer between documents or applications used by cut, copy and paste operations) for public addresses of digital wallet and to replace them with the ones controlled by the cyber maniacs.
Once culprits gained access to the user wallets, they infiltrated the malicious software in the system and stole cryptocurreny.
Mobile downloaders, however, were spared from the attack as they were diverted back to the legitimate Jaxx domain.
Soon after the fraud came to light, Cloudflare suspended its services to the spoofed website. Also, Jaxx extended it support against the fake website, to protect its customer base.
This was primarily a social engineering attack against Jaxx wallet users and did not involve vulnerability or security lapse in the Jaxx application, website or its systems.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.