Lightshot Phishing Attack

By: Shahar Mashraki - Cyber Security Analyst   |   Updated: 8/11/2020

Lightshot is not a user-based application, thus all screenshots are uploaded to a shared cloud, accessible to anyone. All it takes is changing a few digits and letters in the given URL and with each iteration, a new screenshot will appear:




After a quick browse, I have already encountered countless valuable, personal information such as IDs, receipts, bank account details and etc but what caught my eye the most is the following, credentials of a possible crypto wallet (bit-trading indicates BTC currency):



Due to the belief that nobody is that careless I have decided to manually logon onto the website with the given credentials, to my surprise no 2FA was requested and I successfully logged on and encountered a BTC wallet with overall 0.88BTC (est 9,850 USD as for today):



At that point, it is safe to say that this website is pretty alarming and there has to be something behind it. When clicking on the “Withdraw” button the website represents the following message, asking for a 0.0015BTC fee due to withdrawal:



Further digging into the blockchain history shows that 0.133 BTC was sent to&from this wallet (197 transactions overall):



Now it is pretty clear that we’re viewing a new Phishing attack vector that targets individuals that abuse Lightshot’s data leak and attempt to find vulnerable, sensitive information such as a BTC wallet and will eventually get scammed themselves.

By the time of writing this post, I have already encountered 5 similar attacks based on Lightshot data leak.



Bonus points:

1. The attackers “leaked” georgian33m account in various ways, here is an additional photo of an allegedly innocent Telegram conversation, it is obvious at this point that this is another part of the scam:




2. At the time of writing this article, the website is still live. There are actually no authentication methods used in the website, the login page redirects to the same account, no matter what type of credentials are entered.


3. You can skip the login part and browse directly to the wallet via /profile:



4. It is pretty clear from viewing the source code that these are static HTML elements and none of them actually update: