This is a brief exploration of an attack that surfaced one night and was reported on twitter against a user of the Cryptocurrency exchange Luno. We used information we obtained through the phishing kit to discover several other attacks against the exchange. Disclaimer: we currently have no affiliation with Luno.
In the best case, you hope that you’ll find phishing attacks against your user base before they even launch. In the event that you don’t manage to, your users become your first line of defense and if they’re well educated on phishing, will hopefully report this to you. In this case, a technologically savvy Twitter user reported the attack:
In this case, it came through an SMS based phishing attack. Often attackers obtain potential victims details by scraping numbers from crypto related forums or by compromising a vendor in the supply chain, for example a marketing company which may require email and mobile numbers of users to send out marketing campaigns. Thus, they are a prime target for attackers.
After following the link sent in the SMS, it takes the user to this page:
**Note the URL! **Nothing fancy here — a standard clone of the Luno sign in page. Normally, attackers use off the shelf tools such as HTTrack to create these and then do some backend work to collect email addresses and passwords to use later.
After submitting credentials to the phishing website, the victim is redirected to the **legitimate **luno website. This is a common tactic used by scammers to ensure that users don’t realise that they’ve been phished.
Users tend to assume that they incorrectly entered their password or that there was a some kind of bug with the sign in process. The user tried to login again after being redirected to the legitimate site and voila! It works. They think nothing is wrong and continue as normal.
At PhishFort we’ve got a number of internal systems and processes that allow us to fingerprint and identify other websites that are hosting the same phishing kit. This is where it got interesting. We found a couple of LIVE phishing sites that haven’t been seen before or blacklisted:
Note the URL above! Luno[.]su was live and ready to be used in the next campaign!
Next, another phishing website that was still under construction — AWESOME! We caught it early:
In addition, we discovered a number of websites that were in varying states of operational, down or already confirmed phishes.
When we find attacks or users report them to us, we act fast. In this case, we blacklisted all of the sites that we found against MetaMask, MyEtherWallet and EtherAddressLookup which in total protects about 1,5million end users and we aren’t reliant on slow moving internet giants to blacklist. Then, we get the site into Safebrowsing which prevents users of Chrome, Firefox, Safari and Edge from accessing the website.
Thanks for reading!
Report Phishing on Telegram: t.me/reportphishing_bot
If you need help with combating Phishing, you can find us on Twitter or