"Being broke is no joke!"
Mapping and exploiting phishing campaigns targeting Crypto Exchanges
Last updated
Mapping and exploiting phishing campaigns targeting Crypto Exchanges
Last updated
PENETRATION TESTS
PentestsLET'S MEET
Book 15 minutes with one of our experts@ dcodx.com
Crypto Exchanges are definitely one of the favorite targets when it comes to phishing. Today we detected an interesting phishing campaign targeting mainly Dutch cryptocurrency exchanges and email providers. The list below is updated based on the latest analysis but could contain more targeted domains, yet to be discovered:
litebit.eu
gatehub.com
kraken.com
bitvavo.com
outlook.live.com
gmail.com
yahoo.com
proximus.be
The clone looks quite simple and does not introduce any interactive chat or mobile application to be downloaded on the device of the victim. Everything starts with a login screen
After the credentials are stolen the website asks for the personal details
Here the interesting thing. The phishing website asks the user to verify the email address, by accessing the email on a fake Outlook website hosted on the same IP but different subdomain
The user is then redirected to the fake Litebit website to steal the Google Authenticator access code
And after 5 times of inserting our code, we get our account verified
We decided to visualize the perimeter of this campaign using Maltego and our custom transformation to perform reverse DNS lookup and subdomain bruteforcing, to better understand the size of the attack. The graph below is just a first snapshot of what we detected and can change with further analysis.
The linked graph shows how the phishers registered 36 domains on the same IP using different subdomains replicating the name of the target platform (Crypto exchange or email provider)
A better organized view of the same graph can be found below
The registered detected domains follow all the same pattern
com126986547271 [.]info
com12789878951 [.]info
com1298754841 [.]info
com1359876471 [.]info
com1365796741 [.]info
com1365978471 [.]info
com136598747 [.]info
com1369875481 [.]info
com1387458741 [.]info
com1389754871 [.]info
com1469874541 [.]info
com14897589874641 [.]info
com156987541 [.]info
com1576988751 [.]info
com1586975461 [.]info
com167458712541 [.]info
com168469874254 [.]info
com168794671 [.]info
com1698754671 [.]info
com172656375375 [.]info
com17456987451 [.]info
com174632658837 [.]info
com17569884541 [.]info
com17698754151 [.]info
com18265638385 [.]info
com182657387385 [.]info
com182765635656 [.]info
com18756987491 [.]info
com1876549871 [.]info
com197458765871 [.]info
com1987654871 [.]info
eu16987457471 [.]info
eu169875468971 [.]info
eu169875487541 [.]info
eu1832857583 [.]info
be1387158741[.]info
net19878578741[.]info
mailreq [.]info
as well as the registered subdomains
outlook[.]live[.]com126986547271[.]info
outlook[.]live[.]com12789878951[.]info
outlook[.]live[.]com1387458741[.]info
outlook[.]live[.]com1389754871[.]info
gmail[.]com1469874541[.]info
outlook[.]live[.]com14897589874641[.]info
yahoo[.]com1576988751[.]info
kraken[.]com1586975461[.]info
outlook[.]live[.]com167458712541[.]info
litebit[.]com168469874254[.]info
outlook[.]live[.]com172656375375[.]info
outlook[.]live[.]com174632658837[.]info
bitvavo[.]com17569884541[.]info
outlook[.]live[.]com18265638385[.]info
outlook[.]live[.]com182657387385[.]info
outlook[.]live[.]com182765635656[.]info
outlook[.]live[.]com197458765871[.]info
litebit[.]eu16987457471[.]info
litebit[.]eu169875468971[.]info
litebit[.]eu169875487541[.]info
litebit[.]eu1832857583[.]info
www[.]proximus[.]be1387158741[.]info
signin[.]gatehub.net19878578741[.]info
All the domains are hosted on 192[.]236[.]177[.]125
A quick WHOIS search confirms that the campaign started around mid-May
The phishers did not bother much on creating a custom website, but only downloaded the complete website as HTML, added some .php pages to send the stolen credentials and uploaded it on the fresh websites.
During the analysis we hit the jackpot, discovering the config panel used by the phishers to set the email to receive the credentials, and also the URLs where the victim will be redirected to verify the email (fake Outlook for example). The panel is protected by a password but we were able to bypass it. Here we can see the different configurations for each exchange and mail server.
LiteBit configurations
On the Hotmail configuration set the 2FA to be enabled or not
Kraken configurations
BitVavo configurations
GateHub config
The email used to forward the credentials are:
davitvince@outlook.com
kraken.babushi@outlook.com
robertbogen@outlook.com
The phishing websites have been taken down
Crypto exchanges are definitely very valuable targets for phishers that are constantly trying to find different ways of bypassing security measures in place such as Multi Factor Authentication (MFA). Continuous awareness, detection, and response can improve the impact of phishing attacks. Check how DCODX can help you detect stolen credentials and make phishing websites disappear in seconds using , putting you in control of the phishing website and being one step ahead of the phishers.
