Selling cryptocastles in the sky

February 2, 2018

From mid-January to mid-December of 2017, the price of Bitcoin jumped more than twentyfold, peaking at nearly $20,000 per coin. Fellow cryptocurrencies Ethereum and Monero haven’t reached that level, but their relative growth was even more impressive. As usual, many are lured by the prospect of making a fast buck on the back of this new gold rush.

Ordinary users are mining virtual coins or buying up cryptocurrencies on online exchanges in the hope of a major windfall, and cybercrooks are coming up with all kinds of devious scams. We’ve already discussed several traps that cryptocurrency enthusiasts will want to avoid. Recently, researchers discovered a new scheme involving the use of ransomware masquerading as an e-wallet for a nonexistent — seriously, imaginary — cryptocurrency.

How does that work?

First of all, we should note that the list of cryptocurrencies is not limited to Bitcoin, Monero, and Ethereum: The website Coinmarketcap, for example, lists almost 1,500 varieties of online-only money. Related forums are abuzz with talk about which exotic little coin will be the next to soar.

Swindlers are exploiting the clamor, luring people to download wallets for SpriteCoin, supposedly the next big thing in the world of crypto. But a simple search shows that Google knows nothing about it (or rather, the only information you can find on SpriteCoin is about this very fraud), but it seems some cryptoinvestors aren’t slowing down long enough to hit up Google for information.

The SpriteCoin pseudo-e-wallet takes a while to reveal its true colors. First, it prompts the user to create a password, and then it does a good impression of downloading blockchain components. This does not arouse suspicion; any so called “thick” e-wallet, when first launched, synchronizes with its network and downloads the cryptocurrency’s entire blockchain to become a valid member of the blockchain.

In the case of SpriteCoin wallets, however, the progress bar isn’t counting down a useful download but rather files being encrypted on the victim’s computer. The malicious wallet adds the extension .encrypted to the encrypted files and, if it receives the command, even deletes Windows shadow copies so that the user cannot repair the affected files. In addition to that, the malware sends any logins and passwords stored in Firefox and Chrome straight to the criminals. The data is exchanged through the Tor network, letting the scammers remain anonymous.

Thereafter, it’s textbook: Files are encrypted and an on-screen window displays a demand for 0.3 Monero (about $100 as of today). Unlike SpriteCoin, Monero is real and is starting to replace Bitcoin as the go-to currency for criminals because it offers a higher level of anonymity. The crooks don’t threaten to destroy the files but instead say that the data will remain inaccessible if the victim doesn’t pay. If the malware, also known as MoneroPay, receives the command to remove shadow copies, this threat will most likely become reality.

But even if the user caves, their troubles do not end there. The decryption key they receive comes with a second piece of malware that spies through their webcam, steals digital security certificates, and does other unpleasant things.

How to guard against SpriteCoin

  1. Do a little research. Before taking advantage of a great-looking offer on the advice of an online acquaintance, at least find out what it’s all about. Think before you take the plunge. Most “too great to be true” offers are great only for the other party.
  2. Make regular backups. You might not feel like it, but safe is better than sorry. Besides, there are lots of backup methods these days, so you can choose the one that best fits your routine.
  3. Take preemptive action. A good antivirus solution will protect you against both the initial Trojan and whatever arrives on its coattails. But keep in mind that the best (and sometimes the only) security against many other threats on the cryptocurrency market is your own vigilance.