New Phishing Scheme Targets Crypto Futures On MEXC Exchange
The JFrog Security Research team has warned about a malicious package targeting crypto futures trading on the MEXC exchange, seeking to steal funds and leak trading credentials. The team has published a report on April 15 detailing the “ccxt-mexc-futures” package, which uses the legitimate Cryptocurrency Exchange Trading (CCXT) library to redirect user trading requests to a malicious server.
The malicious party sets a domain very similar to the legitimate one. In this case, a user can mistake the fake MEXC domain for a legitimate one. Once a victim falls into the trap, the attackers can hijack all crypto and sensitive information that the trading request contains. Therefore, attackers can also steal Application Programming Interface (API) keys and secrets. Subsequently, this compromises crypto trading accounts. Per the researchers, “the use of obfuscation techniques and a fake MEXC website further demonstrates the sophistication of this phishing campaign.” The fake website is even promoted on Facebook.
Meanwhile, going into more detail, JFrog explains that the ccxt-mexc-futures package claims to extend the crypto trading capabilities via the CryptoCurrency eXchange Trading (ccxt) PyPI package. This is a legitimate and popular crypto trading Python package that supports trading on many exchanges, including MEXC. However, the attackers claim that the malicious package extends the legitimate CCXT package to support “futures” trade on MEXC. Instead, to accomplish its goals, the malicious package overrides three relevant functions: describe, sign, and prepare_request_headers.
Adding, Rewriting, Redirecting, Stealing Crypto Futures
The report goes on to explain that the MEXC interface in CCXT defines a wide set of APIs to support different types of trading. The attackers targeted two of these APIs: contract_private_post_order_submit and contract_private_post_order_cancel. Once the malicious ccxt-mexc-futures package overrides these two APIs, it adds a third one, spot4_private_post_order_place. Therefore, users create, place, or cancel trading orders through these APIs that pose as the legitimate APIs of the CCXT library. “Every time a user utilizes these entries, instead of using the CCXT-defined entries, they will use the attacker’s entries, specifying futures trading in the request,” the researchers say.
Notably, the attackers went even further. They made it so that a “BadRequest” response will change into an “OrderFilled” response, so that users think the order went through. Also, as the malicious package overrides the sign function, if a user tries to communicate with MEXC using the package, the requests will go to the fake domain. This also means sending the user token in the request header to the attackers. If the user token is not supplied, the package will request the user to add it before making an order. “If it is not a future-related entry, the package directs the flow to the original MEXC exchange implementation of the CCXT package,” the report notes.
Meanwhile, the researchers discovered two versions of the malicious package. They use different methods to hide and run arbitrary code on the computer of the victim who installed the package. However, both methods are “very common ways for attackers to hide and run malicious payloads.” As a response to this threat, JFrog says it has added the malicious Python packages to JFrog Xray to enable users to detect them immediately.