Alert: Beware of New Phishing Scheme Targeting Crypto Futures on MEXC
The JFrog Security Research team has issued a warning a couple of sneaky malicious package that’s out to pilfer funds and compromise trading credentials on the MEXC exchange, a hub for crypto futures trading.
A Deep Dive into the Threat
On April 15, the team rolled out an in depth report spotlighting the “ccxt-mexc-futures” package. This malicious package cleverly uses the legitimate Cryptocurrency Exchange Trading (CCXT) library, but with a twist: it reroutes user trading requests to a server under the attacker’s control.
Spot the Fake
One of the tricks up the attackers’ sleeves is organising a fake domain eerily much like MEXC’s real one. It’s a classic phishing move—users might easily mistake the bogus site for the true deal.
Once a trader falls into this trap, it’s game over: the attackers can seize all crypto and sensitive data contained throughout the trading request.
Exposing the Phishing Tactics
The attackers don’t stop at stealing funds. They also aim to get their hands on API keys and secrets, putting crypto trading accounts in danger. The researchers note how the attackers employ obfuscation techniques and promote their fake MEXC site on Facebook, showcasing the sophistication of this phishing campaign.
Understanding the Malicious Package
JFrog delved deeper into the workings of the ccxt-mexc-futures package. While it claims to reinforce crypto trading capabilities using the real CCXT PyPI package, it’s a ruse. The package actually overrides three critical functions: describe, sign, and prepare_request_headers, to attain its malicious ends.
Manipulating the Trading Interface
The MEXC interface inside CCXT supports a spread of APIs for various trading activities. The attackers zeroed in on two particular APIs: contract_private_post_order_submit and contract_private_post_order_cancel. By manipulating these, they introduce a 3rd API, spot4_private_post_order_place.
This means traders unwittingly use the attackers’ APIs, believing they’re a part of the legitimate CCXT library. According to the researchers, each time a user interacts with these entries, their request is rerouted to specify futures trading, unbeknownst to them.
Deceptive Responses and Domain Redirects
The attackers didn’t stop there. They tweaked the system in order that a “BadRequest” response morphs into an “OrderFilled” message, tricking users into pondering their order succeeded. Moreover, by overriding the sign function, any communication with MEXC via this package is redirected to a fake domain, sending user tokens on to the attackers.
If no user token is initially provided, the package prompts for it before proceeding with an order. For non-futures entries, the request is directed to MEXC’s real implementation of the CCXT package.
Different Faces of the Threat
The researchers uncovered two variants of this malicious package, each employing different methods to cloak and execute harmful code on the victim’s machine. Despite the variation, each techniques are common tactics amongst cyber attackers for deploying malicious payloads.
Defense Mechanisms
In response to this threat, JFrog has added these harmful Python packages to JFrog Xray, allowing users to detect them swiftly and protect themselves.
It’s a timely reminder to remain vigilant and double-check URLs and sources, especially when coping with sensitive financial information online. Stay protected on the market!
Source: JFrog
The post originally appeared on Cryptonews.
Image Credit: cryptorank.io
