Binance Free Giveaway Scam Analysis

Our early warning systems recently detected a spike in Binance related attacks.Our analysts investigated the spate of attacks to better understand what was happening behind the scenes and to get an idea of the impact of the attack.

The Red Flags

Binance is one of the most popular brands in the crypto world, and has areputation for being charitable and financially rewarding their users. Thisunfortunately means that they land up getting heavily targeted by trust tradingscams. We recently found a phishing kit that was being aggressively deployed totarget Binance users. Over the course of a few weeks, we detected multipledomains that were involved in the hosting of the kit, including:

     
  • binancefund[.]net
  •  
  • binanceforce[.]com
  •  
  • binanceforce[.]net
  •  
  • promovalue[.]net
  •  
  • binancevent[.]net
  •  
  • binancebegin[.]com
  •  
  • binancegiveaway[.]top

The kit advertised a free giveaway of BTC hosted by Binance with no details onwhy the giveaway was being done. The site did a convincing job of imitating thelook and feel of the new Binance brand to coax users into thinking it was alegitimate Binance program.

The modus operandi was a typical trust trading scam, where victims areencouraged to send crypto to an attacker with the promise of receiving morecrypto back. This kit in particular purported to return 10x the amount of BTCsent to the attacker back to the victim. The attacker further incentivized thevictim to send more than 5 bitcoin by promising double the reward — almostsounds too good to be true.

An attack of this nature would typically be propagated through existing botnetworks, on Telegram, Twitter, Reddit, or other social networks popular withthe crypto community. This means that once an attacker has configured their kitand established their bot network, the cost of the attack is relatively low fromthat point on. The remaining steps include purchasing a domain name and hosting,and setting up an SSL certificate. The low cost of the attack is part of thereason this style of attack is so rampant within the crypto space.

Analysis of the Kit

The attacker included a QR code that could conveniently be scanned by victims inorder to send bitcoin payments. In this instance, the attacker used Google APIsto generate the QR code.

The phishing page also included an animation bar that indicated the amount ofbitcoin left in the giveaway, giving the user a sense of urgency. Below thestatus bar, there was a table of fake real-time transactions, giving theimpression that people who were participating in the program were actuallyreceiving their funds.

The transactions were hardcoded into the HTML of the page, so the transactionswere obviously all fake.

The kit contacted 9 IPs in 2 countries across 7 domains to perform 24 HTTPtransactions. The TLS certificates were issued by Let’s Encrypt and valid for 3months. The domains were created in July 2019 and the domain registrars includedNameCheap and nic.ru.

The kits did not use a consistent wallet, which meant that either the attackswere being conducted by different attackers or the attacker was trying to avoidanalysis or blacklisting. Given how close the attacks were conducted to eachother, the latter seems more likely. At the time of writing, the attackeraddresses had received over 0.2 BTC (~$2,000) cumulatively. The bulk of thefunds had been received by 1Bn9D8yf6YtuA94T6Rhz1KbR6Kxr5p8dMy.

As this style of attack has proven to be largely profitable for attackers, weexpect that they will continue to increase in frequency. Fighting phishing is arelentless battle, and companies need to actively defend against it in order toraise the cost of conducting attacks to deter phishers from targeting theirbrand.

IOCs

Primary BTC address

1Bn9D8yf6YtuA94T6Rhz1KbR6Kxr5p8dMy

Domains

binancefund[.]net
binanceforce[.]com
binanceforce[.]net
promovalue[.]net
binancevent[.]net
binancebegin[.]com
binancegiveaway[.]top

Contact Us

Follow us at @phishfort for more on how todefend yourself online or install our browser pluginProtect for real-time protection fromattacks.

Don't miss these stories: