"Being broke is no joke!"
Mapping and exploiting phishing campaigns targeting Crypto Exchanges
Crypto Exchanges are definitely one of the favorite targets when it comes to phishing. Today we detected an interesting phishing campaign targeting mainly Dutch cryptocurrency exchanges and email providers. The list below is updated based on the latest analysis but could contain more targeted domains, yet to be discovered:
- litebit.eu
- gatehub.com
- kraken.com
- bitvavo.com
- outlook.live.com
- gmail.com
- yahoo.com
- proximus.be
The clone looks quite simple and does not introduce any interactive chat or mobile application to be downloaded on the device of the victim. Everything starts with a login screen
After the credentials are stolen the website asks for the personal details
Here the interesting thing. The phishing website asks the user to verify the email address, by accessing the email on a fake Outlook website hosted on the same IP but different subdomain
The user is then redirected to the fake Litebit website to steal the Google Authenticator access code
And after 5 times of inserting our code, we get our account verified
We decided to visualize the perimeter of this campaign using Maltego and our custom transformation to perform reverse DNS lookup and subdomain bruteforcing, to better understand the size of the attack. The graph below is just a first snapshot of what we detected and can change with further analysis.
The linked graph shows how the phishers registered 36 domains on the same IP using different subdomains replicating the name of the target platform (Crypto exchange or email provider)
A better organized view of the same graph can be found below
The registered detected domains follow all the same pattern
- com126986547271 [.]info
- com12789878951 [.]info
- com1298754841 [.]info
- com1359876471 [.]info
- com1365796741 [.]info
- com1365978471 [.]info
- com136598747 [.]info
- com1369875481 [.]info
- com1387458741 [.]info
- com1389754871 [.]info
- com1469874541 [.]info
- com14897589874641 [.]info
- com156987541 [.]info
- com1576988751 [.]info
- com1586975461 [.]info
- com167458712541 [.]info
- com168469874254 [.]info
- com168794671 [.]info
- com1698754671 [.]info
- com172656375375 [.]info
- com17456987451 [.]info
- com174632658837 [.]info
- com17569884541 [.]info
- com17698754151 [.]info
- com18265638385 [.]info
- com182657387385 [.]info
- com182765635656 [.]info
- com18756987491 [.]info
- com1876549871 [.]info
- com197458765871 [.]info
- com1987654871 [.]info
- eu16987457471 [.]info
- eu169875468971 [.]info
- eu169875487541 [.]info
- eu1832857583 [.]info
- be1387158741[.]info
- net19878578741[.]info
- mailreq [.]info
as well as the registered subdomains
- outlook[.]live[.]com126986547271[.]info
- outlook[.]live[.]com12789878951[.]info
- outlook[.]live[.]com1387458741[.]info
- outlook[.]live[.]com1389754871[.]info
- gmail[.]com1469874541[.]info
- outlook[.]live[.]com14897589874641[.]info
- yahoo[.]com1576988751[.]info
- kraken[.]com1586975461[.]info
- outlook[.]live[.]com167458712541[.]info
- litebit[.]com168469874254[.]info
- outlook[.]live[.]com172656375375[.]info
- outlook[.]live[.]com174632658837[.]info
- bitvavo[.]com17569884541[.]info
- outlook[.]live[.]com18265638385[.]info
- outlook[.]live[.]com182657387385[.]info
- outlook[.]live[.]com182765635656[.]info
- outlook[.]live[.]com197458765871[.]info
- litebit[.]eu16987457471[.]info
- litebit[.]eu169875468971[.]info
- litebit[.]eu169875487541[.]info
- litebit[.]eu1832857583[.]info
- www[.]proximus[.]be1387158741[.]info
- signin[.]gatehub.net19878578741[.]info
All the domains are hosted on 192[.]236[.]177[.]125
A quick WHOIS search confirms that the campaign started around mid-May
Domain Name: EU169875487541.INFO
Registry Domain ID: D503300001185396436-LRMS
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: http://www.namesilo.com
Updated Date: 2020-05-13T11:33:58Z
Creation Date: 2020-05-13T11:00:12Z
Registry Expiry Date: 2021-05-13T11:00:12Z
Registrar Registration Expiration Date:
Registrar: Namesilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: removed email address
Registrar Abuse Contact Phone: removed phone number
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: See PrivacyGuardian.org
Registrant State/Province: AZ
Registrant Country: US
Name Server: AMSBS14.HOSTWINDSDNS.COM
Name Server: AMSBS13.HOSTWINDSDNS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form is https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2020-06-27T09:36:59Z <<<
The phishers did not bother much on creating a custom website, but only downloaded the complete website as HTML, added some
.php pages to send the stolen credentials and uploaded it on the fresh websites.During the analysis we hit the jackpot, discovering the config panel used by the phishers to set the email to receive the credentials, and also the URLs where the victim will be redirected to verify the email (fake Outlook for example). The panel is protected by a password but we were able to bypass it. Here we can see the different configurations for each exchange and mail server.
LiteBit configurations
On the Hotmail configuration set the 2FA to be enabled or not
Kraken configurations
BitVavo configurations
GateHub config
The email used to forward the credentials are:
The phishing websites have been taken down
Crypto exchanges are definitely very valuable targets for phishers that are constantly trying to find different ways of bypassing security measures in place such as Multi Factor Authentication (MFA). Continuous awareness, detection, and response can improve the impact of phishing attacks. Check how DCODX can help you detect stolen credentials and make phishing websites disappear in seconds using Phinix, putting you in control of the phishing website and being one step ahead of the phishers.