Google and Twitter advertisements are circulating links to websites housing a cryptocurrency scheme called 'MS Drainer,' which has siphoned off $59 million from 63,210 victims in the past nine months. ScamSniffer's blockchain analysts have uncovered over ten thousand phishing sites employing this drainer since March 2023, with heightened activity spikes observed in May, June, and November.
A drainer, in this context, refers to a malevolent smart contract or a comprehensive phishing suite engineered to drain cryptocurrency from a user's wallet without their authorization. Victims are lured to seemingly legitimate phishing websites where they unwittingly approve harmful contracts, enabling the drainer to execute unauthorized transactions and transfer their funds to the attacker's wallet address.
The source code for MS Drainer is marketed to cybercriminals for $1,500 by an individual known as 'Pakulichev' or 'PhishLab,' who also levies a 20% fee on any pilfered funds using the toolkit. PhishLab additionally sells supplementary modules that enhance the malware's functionalities, ranging from $500 to $1,000.
Blockchain data reveals instances where victims on the Ethereum chain lost cryptocurrency valued at $24 million, alongside other notable cases involving losses between $440,000 and $1.2 million.
The fraudulent ads promoting MS Drainer exploit Google Search by appearing for keywords related to DeFi platforms like Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant. These ads capitalize on a loophole in Google Ads' tracking template, masquerading the URL as the official domain of the spoofed project before redirecting users to a phishing site.
On Twitter, MS Drainer advertisements dominate, accounting for six out of nine phishing ads on users' feeds, many posted from "verified" accounts with the blue tick badge at the time of the ad display. MalwareHunterTeam, a security researcher, suspects that the holders of these Twitter accounts might have fallen victim to malware that pilfered their authentication data, enabling threat actors to create ads from compromised accounts.
Interestingly, when engaging with a Twitter account running a cryptocurrency scam, the researcher found no trace of the ads in the advertising accounts.
The malicious ads on Twitter employ various themes, including one titled "Ordinals Bubbles," promoting a purportedly exclusive NFT collection featuring characters enclosed in bubbles. Additionally, these ads promote NFT airdrops and new token launches hosted on sites linked to the drainer.
ScamSniffer notes that these ads employ geofencing as a detection evasion tactic, targeting users from predefined regions while redirecting others to legitimate or innocuous websites.
Cryptocurrency scams have historically thrived on Twitter, and the use of compromised "verified" accounts in promoting malicious sites indicates a heightened potential for successful attacks. Users should exercise extreme caution when encountering cryptocurrency-related ads and conduct thorough research before engaging with new platforms or linking their wallets.