Twitter bots and an $11K cryptocurrency scam.
Intro
hxxps[://]ensgiveaway[.]com is an ENS token scam that will connect to your wallet via Metamask.
It will abuse an OAuth connection masked as authenticaton for a giveaway to drain tokens from your wallet.
Go to the outro for a safe way to view the scam website
A friend on Twitter sent me the source link to check out. Upon checking the tweet, it was being spread by tagging profiles for an ENS token giveaway.
ENS is a legitimate token with an interesting background. It attempts to emulate DNS by using a blockchain. A form of P2P DNS.
The source of the scam
The original tweet.
Notice that the only difference is two letters. They dropped the s at the end and replaced the i with an l.
The real ENS token Twitter account.
Checking the website
I pulled the JavaScript loaded by the website via Tails and after confirming they are definitely malicious, I stored them on Pastebin.
main.js javascript_main.js import_main.js
The JavaScript files.
The JavaScript files use a series of obfuscation techniques. The authors did not encrypt their strings.
You can go through the JavaScript in the Pastebin links. I will add some of my favourites here.
'X-API-Key': KEYS[Math['floor'](Math[_0x1d478f(298)]() * KEYS[_0x1d478f(305)])]
async function connectAndDrain() {
if (connected == 0) await connectMetamask();
await drain();
}
chains = {
'eth': !![],
'matic': ![],
'bsc': !![]
},
toDrain = {
'eth': {
'nft': ![],
'eth': !![],
'tokens': !![]
},
'matic': {
'nft': ![],
'eth': ![],
'tokens': ![]
},
'bsc': {
'nft': ![],
'eth': !![],
'tokens': !![]
}
}
'rus': {
'onConnect': _0x291f41(236),
'onDisconnect': '💤 Пользователь $id покинул сайт',
'onMetamaskConnect': _0x291f41(223),
'onApprove': _0x291f41(237),
'onCancel': '😢 Пользователь $id отменил транзакцию',
'onSign': _0x291f41(221),
'onCancelSwitch': '😢 Пользователь $id не сменил сеть'
}
How does it work?
1. A user visits the website which sends a message to a Telegram channel via a bot.
2. A user clicks on Connect which prompts you to connect your Metamask wallet.
3. The website uses the API app.zapper.fi to check the balances of your wallet to see if they are > 0.
4. If there are coins it fakes a transaction approval to look like it is related to the giveaway.
5. If the user approves the request the coins are drained from their wallet.
You can see that this scam has at the time of writing taken $11K dollars’ worth of tokens.
Outro
It seems that people have caught on that this is a scam. The URL and associated wallets have been reported.
URLScan of the website so you don’t have to visit it. Etherscan of the wallet that the funds are going to.
Oh, one last thing
A little birdy flew in my window and whispered in my ear that the Telegram user running this scam is huesosmaster (id -> 5687453554) in a group chat called Huesos with a total of 4 members.
Йо!