# "Being broke is no joke!"

Crypto Exchanges are definitely one of the favorite targets when it comes to phishing. Today we detected an interesting phishing campaign targeting mainly Dutch cryptocurrency exchanges and email providers. The list below is updated based on the latest analysis but could contain more targeted domains, yet to be discovered:

* litebit.eu
* gatehub.com
* kraken.com
* bitvavo.com
* outlook.live.com
* gmail.com
* yahoo.com
* proximus.be

The clone looks quite simple and does not introduce any interactive chat or mobile application to be downloaded on the device of the victim. Everything starts with a login screen&#x20;

![](/files/-M9xMbi3cNcTt8dRwq7m)

After the credentials are stolen the website asks for the personal details

![](/files/-M9xMooOqogS9de-DNXH)

Here the interesting thing. The phishing website asks the user to verify the email address, by accessing the email on a fake Outlook website hosted on the same IP but different subdomain&#x20;

![](/files/-M9xNHYMWCLZXumUDzyS)

The user is then redirected to the fake Litebit website to steal the Google Authenticator access code

![](/files/-M9xN_NE_CpqRLLUoDQK)

And after 5 times of inserting our code, we get our account verified

![](/files/-M9y5Mp1LiBXXPWBelAq)

We decided to visualize the perimeter of this campaign using Maltego and our custom transformation to perform reverse DNS lookup and subdomain bruteforcing, to better understand the size of the attack. The graph below is just a first snapshot of what we detected and can change with further analysis.

![](/files/-M9xO8DGe9TQ9Yy8y7m8)

The linked graph shows how the phishers registered 36 domains on the same IP using different subdomains replicating the name of the target platform (Crypto exchange or email provider)

A better organized view of the same graph can be found below

![](/files/-M9xPMNaY7cqNo7WBylU)

The registered detected domains follow all the same pattern

* com126986547271 \[.]info
* com12789878951 \[.]info
* com1298754841 \[.]info
* com1359876471 \[.]info
* com1365796741 \[.]info
* com1365978471 \[.]info
* com136598747 \[.]info
* com1369875481 \[.]info
* com1387458741 \[.]info
* com1389754871 \[.]info
* com1469874541 \[.]info
* com14897589874641 \[.]info
* com156987541 \[.]info
* com1576988751 \[.]info
* com1586975461 \[.]info
* com167458712541 \[.]info
* com168469874254 \[.]info
* com168794671 \[.]info
* com1698754671 \[.]info
* com172656375375 \[.]info
* com17456987451 \[.]info
* com174632658837 \[.]info
* com17569884541 \[.]info
* com17698754151 \[.]info
* com18265638385 \[.]info
* com182657387385 \[.]info
* com182765635656 \[.]info
* com18756987491 \[.]info
* com1876549871 \[.]info
* com197458765871 \[.]info
* com1987654871 \[.]info
* eu16987457471 \[.]info
* eu169875468971 \[.]info
* eu169875487541 \[.]info
* eu1832857583 \[.]info
* be1387158741\[.]info
* net19878578741\[.]info
* mailreq \[.]info

as well as the registered subdomains

* outlook\[.]live\[.]com126986547271\[.]info&#x20;
* outlook\[.]live\[.]com12789878951\[.]info&#x20;
* outlook\[.]live\[.]com1387458741\[.]info&#x20;
* outlook\[.]live\[.]com1389754871\[.]info&#x20;
* gmail\[.]com1469874541\[.]info&#x20;
* outlook\[.]live\[.]com14897589874641\[.]info&#x20;
* yahoo\[.]com1576988751\[.]info&#x20;
* kraken\[.]com1586975461\[.]info&#x20;
* outlook\[.]live\[.]com167458712541\[.]info&#x20;
* litebit\[.]com168469874254\[.]info&#x20;
* outlook\[.]live\[.]com172656375375\[.]info&#x20;
* outlook\[.]live\[.]com174632658837\[.]info&#x20;
* bitvavo\[.]com17569884541\[.]info&#x20;
* outlook\[.]live\[.]com18265638385\[.]info&#x20;
* outlook\[.]live\[.]com182657387385\[.]info&#x20;
* outlook\[.]live\[.]com182765635656\[.]info&#x20;
* outlook\[.]live\[.]com197458765871\[.]info&#x20;
* litebit\[.]eu16987457471\[.]info&#x20;
* litebit\[.]eu169875468971\[.]info&#x20;
* litebit\[.]eu169875487541\[.]info
* litebit\[.]eu1832857583\[.]info
* www\[.]proximus\[.]be1387158741\[.]info&#x20;
* signin\[.]gatehub.net19878578741\[.]info&#x20;

All the domains are hosted on 192\[.]236\[.]177\[.]125

A quick WHOIS search confirms that the campaign started around mid-May

```
Domain Name: EU169875487541.INFO
Registry Domain ID: D503300001185396436-LRMS
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: http://www.namesilo.com
Updated Date: 2020-05-13T11:33:58Z
Creation Date: 2020-05-13T11:00:12Z
Registry Expiry Date: 2021-05-13T11:00:12Z
Registrar Registration Expiration Date:
Registrar: Namesilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: removed email address
Registrar Abuse Contact Phone: removed phone number
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: See PrivacyGuardian.org
Registrant State/Province: AZ
Registrant Country: US
Name Server: AMSBS14.HOSTWINDSDNS.COM
Name Server: AMSBS13.HOSTWINDSDNS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form is https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2020-06-27T09:36:59Z <<<
```

The phishers did not bother much on creating a custom website, but only downloaded the complete website as HTML, added some `.php` pages to send the stolen credentials and uploaded it on the fresh websites.

During the analysis we hit the jackpot, discovering the config panel used by the phishers to set the email to receive the credentials, and also the URLs where the victim will be redirected to verify the email (fake Outlook for example). The panel is protected by a password but we were able to bypass it.  Here we can see the different configurations for each exchange and mail server.

LiteBit configurations

![](/files/-M9xpMuqMtgD_8RzT8L1)

On the Hotmail configuration set the 2FA to be enabled or not

![](/files/-M9xpr0AFxM_skF0h4f9)

Kraken configurations

![](/files/-M9xqtrKojY-x2GAB84c)

BitVavo configurations

![](/files/-M9xr-U5REAU6beMX-Km)

GateHub config

![](/files/-MAoso7rncA2E_l_EmjQ)

The email used to forward the credentials are:

* <davitvince@outlook.com>
* <kraken.babushi@outlook.com>
* <robertbogen@outlook.com>

{% hint style="success" %}
The phishing websites have been taken down
{% endhint %}

### Conclusions

Crypto exchanges are definitely very valuable targets for phishers that are constantly trying to find different ways of bypassing security measures in place such as Multi Factor Authentication (MFA). Continuous awareness, detection, and response can improve the impact of phishing attacks. Check how DCODX can help you detect stolen credentials and make phishing websites disappear in seconds using [Phinix](https://phinix.io), putting you in control of the phishing website and being one step ahead of the phishers.

{% embed url="<https://phinix.io>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://1337.dcodx.com/blog/being-broke-is-no-joke.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.