×

Phishing Enumeration | Understanding a Crypto Phishing Attack

14 September 2018

Phishing Enumeration | Understanding a Crypto Phishing Attack

This is a brief exploration of an attack that surfaced one night and was reported on twitter against a user of the Cryptocurrency exchange Luno. We used information we obtained through the phishing kit to discover several other attacks against the exchange. Disclaimer: we currently have no affiliation with Luno.

Phishing Detection

In the best case, you hope that you’ll find phishing attacks against your user base before they even launch. In the event that you don’t manage to, your users become your first line of defense and if they’re well educated on phishing, will hopefully report this to you. In this case, a technologically savvy Twitter user reported the attack:

SMS based Phishing

In this case, it came through an SMS based phishing attack. Often attackers obtain potential victims details by scraping numbers from crypto related forums or by compromising a vendor in the supply chain, for example a marketing company which may require email and mobile numbers of users to send out marketing campaigns. Thus, they are a prime target for attackers.

The Attack

After following the link sent in the SMS, it takes the user to this page:

A fairly standard clone of the Luno.com website

**Note the URL! **Nothing fancy here — a standard clone of the Luno sign in page. Normally, attackers use off the shelf tools such as HTTrack to create these and then do some backend work to collect email addresses and passwords to use later.

Submitting credentials sends these to the server backend

After submitting credentials to the phishing website, the victim is redirected to the **legitimate **luno website. This is a common tactic used by scammers to ensure that users don’t realise that they’ve been phished.

The final part of the workflow, a redirect to the legitimate site.

Users tend to assume that they incorrectly entered their password or that there was a some kind of bug with the sign in process. The user tried to login again after being redirected to the legitimate site and voila! It works. They think nothing is wrong and continue as normal.

Fingerprinting and Expansion

At PhishFort we’ve got a number of internal systems and processes that allow us to fingerprint and identify other websites that are hosting the same phishing kit. This is where it got interesting. We found a couple of LIVE phishing sites that haven’t been seen before or blacklisted:

Luno.su

Note the URL above! Luno[.]su was live and ready to be used in the next campaign!

Next, another phishing website that was still under construction — AWESOME! We caught it early:

In addition, we discovered a number of websites that were in varying states of operational, down or already confirmed phishes.

https://luno-co[.]xyz

https://lunobtc[.]trade

https://lunobtc[.]trade/

https://luno-upgrade[.]com

https://luno-official[.]com/

https://luno-upg[.]com

https://luno-web[.]com

https://luno-official[.]com

Blacklisting

When we find attacks or users report them to us, we act fast. In this case, we blacklisted all of the sites that we found against MetaMask, MyEtherWallet and EtherAddressLookup which in total protects about 1,5million end users and we aren’t reliant on slow moving internet giants to blacklist. Then, we get the site into Safebrowsing which prevents users of Chrome, Firefox, Safari and Edge from accessing the website.

Thanks for reading!

Report Phishing on Telegram: t.me/reportphishing_bot

Twitter: @phishfort

If you need help with combating Phishing, you can find us on Twitter or https://phishfort.com.

Email
Message