"Being broke is no joke!"
Mapping and exploiting phishing campaigns targeting Crypto Exchanges
Crypto Exchanges are definitely one of the favorite targets when it comes to phishing. Today we detected an interesting phishing campaign targeting mainly Dutch cryptocurrency exchanges and email providers. The list below is updated based on the latest analysis but could contain more targeted domains, yet to be discovered:
litebit.eu
gatehub.com
kraken.com
bitvavo.com
outlook.live.com
gmail.com
yahoo.com
proximus.be
The clone looks quite simple and does not introduce any interactive chat or mobile application to be downloaded on the device of the victim. Everything starts with a login screen

After the credentials are stolen the website asks for the personal details

Here the interesting thing. The phishing website asks the user to verify the email address, by accessing the email on a fake Outlook website hosted on the same IP but different subdomain

The user is then redirected to the fake Litebit website to steal the Google Authenticator access code

And after 5 times of inserting our code, we get our account verified

We decided to visualize the perimeter of this campaign using Maltego and our custom transformation to perform reverse DNS lookup and subdomain bruteforcing, to better understand the size of the attack. The graph below is just a first snapshot of what we detected and can change with further analysis.

The linked graph shows how the phishers registered 36 domains on the same IP using different subdomains replicating the name of the target platform (Crypto exchange or email provider)
A better organized view of the same graph can be found below

The registered detected domains follow all the same pattern
com126986547271 [.]info
com12789878951 [.]info
com1298754841 [.]info
com1359876471 [.]info
com1365796741 [.]info
com1365978471 [.]info
com136598747 [.]info
com1369875481 [.]info
com1387458741 [.]info
com1389754871 [.]info
com1469874541 [.]info
com14897589874641 [.]info
com156987541 [.]info
com1576988751 [.]info
com1586975461 [.]info
com167458712541 [.]info
com168469874254 [.]info
com168794671 [.]info
com1698754671 [.]info
com172656375375 [.]info
com17456987451 [.]info
com174632658837 [.]info
com17569884541 [.]info
com17698754151 [.]info
com18265638385 [.]info
com182657387385 [.]info
com182765635656 [.]info
com18756987491 [.]info
com1876549871 [.]info
com197458765871 [.]info
com1987654871 [.]info
eu16987457471 [.]info
eu169875468971 [.]info
eu169875487541 [.]info
eu1832857583 [.]info
be1387158741[.]info
net19878578741[.]info
mailreq [.]info
as well as the registered subdomains
outlook[.]live[.]com126986547271[.]info
outlook[.]live[.]com12789878951[.]info
outlook[.]live[.]com1387458741[.]info
outlook[.]live[.]com1389754871[.]info
gmail[.]com1469874541[.]info
outlook[.]live[.]com14897589874641[.]info
yahoo[.]com1576988751[.]info
kraken[.]com1586975461[.]info
outlook[.]live[.]com167458712541[.]info
litebit[.]com168469874254[.]info
outlook[.]live[.]com172656375375[.]info
outlook[.]live[.]com174632658837[.]info
bitvavo[.]com17569884541[.]info
outlook[.]live[.]com18265638385[.]info
outlook[.]live[.]com182657387385[.]info
outlook[.]live[.]com182765635656[.]info
outlook[.]live[.]com197458765871[.]info
litebit[.]eu16987457471[.]info
litebit[.]eu169875468971[.]info
litebit[.]eu169875487541[.]info
litebit[.]eu1832857583[.]info
www[.]proximus[.]be1387158741[.]info
signin[.]gatehub.net19878578741[.]info
All the domains are hosted on 192[.]236[.]177[.]125
A quick WHOIS search confirms that the campaign started around mid-May
Domain Name: EU169875487541.INFO
Registry Domain ID: D503300001185396436-LRMS
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: http://www.namesilo.com
Updated Date: 2020-05-13T11:33:58Z
Creation Date: 2020-05-13T11:00:12Z
Registry Expiry Date: 2021-05-13T11:00:12Z
Registrar Registration Expiration Date:
Registrar: Namesilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: removed email address
Registrar Abuse Contact Phone: removed phone number
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: See PrivacyGuardian.org
Registrant State/Province: AZ
Registrant Country: US
Name Server: AMSBS14.HOSTWINDSDNS.COM
Name Server: AMSBS13.HOSTWINDSDNS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form is https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2020-06-27T09:36:59Z <<<
The phishers did not bother much on creating a custom website, but only downloaded the complete website as HTML, added some .php
pages to send the stolen credentials and uploaded it on the fresh websites.
During the analysis we hit the jackpot, discovering the config panel used by the phishers to set the email to receive the credentials, and also the URLs where the victim will be redirected to verify the email (fake Outlook for example). The panel is protected by a password but we were able to bypass it. Here we can see the different configurations for each exchange and mail server.
LiteBit configurations

On the Hotmail configuration set the 2FA to be enabled or not

Kraken configurations

BitVavo configurations

GateHub config

The email used to forward the credentials are:
The phishing websites have been taken down
Conclusions
Crypto exchanges are definitely very valuable targets for phishers that are constantly trying to find different ways of bypassing security measures in place such as Multi Factor Authentication (MFA). Continuous awareness, detection, and response can improve the impact of phishing attacks. Check how DCODX can help you detect stolen credentials and make phishing websites disappear in seconds using Phinix, putting you in control of the phishing website and being one step ahead of the phishers.
Last updated