Crypto Exchanges are definitely one of the favorite targets when it comes to phishing. Today we detected an interesting phishing campaign targeting mainly Dutch cryptocurrency exchanges and email providers. The list below is updated based on the latest analysis but could contain more targeted domains, yet to be discovered:

• litebit.eu

• gatehub.com

• kraken.com

• bitvavo.com

• outlook.live.com

• gmail.com

• yahoo.com

• proximus.be

The clone looks quite simple and does not introduce any interactive chat or mobile application to be downloaded on the device of the victim. Everything starts with a login screen

After the credentials are stolen the website asks for the personal details

Here the interesting thing. The phishing website asks the user to verify the email address, by accessing the email on a fake Outlook website hosted on the same IP but different subdomain

The user is then redirected to the fake Litebit website to steal the Google Authenticator access code

And after 5 times of inserting our code, we get our account verified

We decided to visualize the perimeter of this campaign using Maltego and our custom transformation to perform reverse DNS lookup and subdomain bruteforcing, to better understand the size of the attack. The graph below is just a first snapshot of what we detected and can change with further analysis.

The linked graph shows how the phishers registered 36 domains on the same IP using different subdomains replicating the name of the target platform (Crypto exchange or email provider)

A better organized view of the same graph can be found below

The registered detected domains follow all the same pattern

• com126986547271 [.]info

• com12789878951 [.]info

• com1298754841 [.]info

• com1359876471 [.]info

• com1365796741 [.]info

• com1365978471 [.]info

• com136598747 [.]info

• com1369875481 [.]info

• com1387458741 [.]info

• com1389754871 [.]info

• com1469874541 [.]info

• com14897589874641 [.]info

• com156987541 [.]info

• com1576988751 [.]info

• com1586975461 [.]info

• com167458712541 [.]info

• com168469874254 [.]info

• com168794671 [.]info

• com1698754671 [.]info

• com172656375375 [.]info

• com17456987451 [.]info

• com174632658837 [.]info

• com17569884541 [.]info

• com17698754151 [.]info

• com18265638385 [.]info

• com182657387385 [.]info

• com182765635656 [.]info

• com18756987491 [.]info

• com1876549871 [.]info

• com197458765871 [.]info

• com1987654871 [.]info

• eu16987457471 [.]info

• eu169875468971 [.]info

• eu169875487541 [.]info

• eu1832857583 [.]info

• be1387158741[.]info

• net19878578741[.]info

• mailreq [.]info

as well as the registered subdomains

• outlook[.]live[.]com126986547271[.]info

• outlook[.]live[.]com12789878951[.]info

• outlook[.]live[.]com1387458741[.]info

• outlook[.]live[.]com1389754871[.]info

• gmail[.]com1469874541[.]info

• outlook[.]live[.]com14897589874641[.]info

• yahoo[.]com1576988751[.]info

• kraken[.]com1586975461[.]info

• outlook[.]live[.]com167458712541[.]info

• litebit[.]com168469874254[.]info

• outlook[.]live[.]com172656375375[.]info

• outlook[.]live[.]com174632658837[.]info

• bitvavo[.]com17569884541[.]info

• outlook[.]live[.]com18265638385[.]info

• outlook[.]live[.]com182657387385[.]info

• outlook[.]live[.]com182765635656[.]info

• outlook[.]live[.]com197458765871[.]info

• litebit[.]eu16987457471[.]info

• litebit[.]eu169875468971[.]info

• litebit[.]eu169875487541[.]info

• litebit[.]eu1832857583[.]info

• www[.]proximus[.]be1387158741[.]info

• signin[.]gatehub.net19878578741[.]info

All the domains are hosted on 192[.]236[.]177[.]125

A quick WHOIS search confirms that the campaign started around mid-May

Domain Name: EU169875487541.INFO
Registry Domain ID: D503300001185396436-LRMS
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: http://www.namesilo.com
Updated Date: 2020-05-13T11:33:58Z
Creation Date: 2020-05-13T11:00:12Z
Registry Expiry Date: 2021-05-13T11:00:12Z
Registrar Registration Expiration Date:
Registrar: Namesilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: removed email address
Registrar Abuse Contact Phone: removed phone number
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: See PrivacyGuardian.org
Registrant State/Province: AZ
Registrant Country: US
Name Server: AMSBS14.HOSTWINDSDNS.COM
Name Server: AMSBS13.HOSTWINDSDNS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form is https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2020-06-27T09:36:59Z <<<

The phishers did not bother much on creating a custom website, but only downloaded the complete website as HTML, added some .php pages to send the stolen credentials and uploaded it on the fresh websites.

During the analysis we hit the jackpot, discovering the config panel used by the phishers to set the email to receive the credentials, and also the URLs where the victim will be redirected to verify the email (fake Outlook for example). The panel is protected by a password but we were able to bypass it. Here we can see the different configurations for each exchange and mail server.

LiteBit configurations

On the Hotmail configuration set the 2FA to be enabled or not

Kraken configurations

BitVavo configurations

GateHub config

The email used to forward the credentials are:

• davitvince@outlook.com

• kraken.babushi@outlook.com

• robertbogen@outlook.com

Conclusions

Crypto exchanges are definitely very valuable targets for phishers that are constantly trying to find different ways of bypassing security measures in place such as Multi Factor Authentication (MFA). Continuous awareness, detection, and response can improve the impact of phishing attacks. Check how DCODX can help you detect stolen credentials and make phishing websites disappear in seconds using Phinix, putting you in control of the phishing website and being one step ahead of the phishers.