Our early warning systems recently detected a spike in Binance related attacks. Our analysts investigated the spate of attacks to better understand what was happening behind the scenes and to get an idea of the impact of the attack.
Binance is one of the most popular brands in the crypto world, and has a reputation for being charitable and financially rewarding their users. This unfortunately means that they land up getting heavily targeted by trust trading scams. We recently found a phishing kit that was being aggressively deployed to target Binance users. Over the course of a few weeks, we detected multiple domains that were involved in the hosting of the kit, including:
The kit advertised a free giveaway of BTC hosted by Binance with no details on why the giveaway was being done. The site did a convincing job of imitating the look and feel of the new Binance brand to coax users into thinking it was a legitimate Binance program.
The modus operandi was a typical trust trading scam, where victims are encouraged to send crypto to an attacker with the promise of receiving more crypto back. This kit in particular purported to return 10x the amount of BTC sent to the attacker back to the victim. The attacker further incentivized the victim to send more than 5 bitcoin by promising double the reward — almost sounds too good to be true.
An attack of this nature would typically be propagated through existing bot networks, on Telegram, Twitter, Reddit, or other social networks popular with the crypto community. This means that once an attacker has configured their kit and established their bot network, the cost of the attack is relatively low from that point on. The remaining steps include purchasing a domain name and hosting, and setting up an SSL certificate. The low cost of the attack is part of the reason this style of attack is so rampant within the crypto space.
The attacker included a QR code that could conveniently be scanned by victims in order to send bitcoin payments. In this instance, the attacker used Google APIs to generate the QR code.
The phishing page also included an animation bar that indicated the amount of bitcoin left in the giveaway, giving the user a sense of urgency. Below the status bar, there was a table of fake real-time transactions, giving the impression that people who were participating in the program were actually receiving their funds.
The transactions were hardcoded into the HTML of the page, so the transactions were obviously all fake.
The kit contacted 9 IPs in 2 countries across 7 domains to perform 24 HTTP transactions. The TLS certificates were issued by Let’s Encrypt and valid for 3 months. The domains were created in July 2019 and the domain registrars included NameCheap and nic.ru.
The kits did not use a consistent wallet, which meant that either the attacks were being conducted by different attackers or the attacker was trying to avoid analysis or blacklisting. Given how close the attacks were conducted to each other, the latter seems more likely. At the time of writing, the attacker addresses had received over 0.2 BTC (~$2,000) cumulatively. The bulk of the funds had been received by 1Bn9D8yf6YtuA94T6Rhz1KbR6Kxr5p8dMy.
As this style of attack has proven to be largely profitable for attackers, we expect that they will continue to increase in frequency. Fighting phishing is a relentless battle, and companies need to actively defend against it in order to raise the cost of conducting attacks to deter phishers from targeting their brand.