Phishing Enumeration | Understanding a Crypto Phishing Attack
This is a brief exploration of an attack that surfaced one night and was reported on twitter against a user of the Cryptocurrency exchange Luno. We used information we obtained through the phishing kit to discover several other attacks against the exchange. Disclaimer: we currently have no affiliation with Luno.
In the best case, you hope that you’ll find phishing attacks against your user base before they even launch. In the event that you don’t manage to, your users become your first line of defense and if they’re well educated on phishing, will hopefully report this to you. In this case, a technologically savvy Twitter userreported the attack:
SMS based Phishing
In this case, it came through an SMS based phishing attack. Often attackers obtain potential victims details by scrapingnumbers from crypto related forums or by compromising a vendor in the supply chain, forexample a marketing company which may require email and mobile numbers of users to send out marketing campaigns. Thus, they are a prime target for attackers.
After following the link sent in the SMS, it takes the user to this page:
A fairly standard clone of the Luno.com website
**Note the URL! **Nothing fancy here — a standard clone of the Luno sign inpage. Normally, attackers use off the shelf tools such as HTTrack to createthese and then do some backend work to collect email addresses and passwords touse later.
Submitting credentials sends these to the server backend
After submitting credentials to the phishing website, the victim is redirectedto the **legitimate **luno website. This is a common tactic used by scammers toensure that users don’t realise that they’ve been phished.
The final part of the workflow, a redirect to the legitimate site.
Users tend to assume that they incorrectly entered their password or that therewas a some kind of bug with the sign in process. The user tried to login againafter being redirected to the legitimate site and voila! It works. They thinknothing is wrong and continue as normal.
Fingerprinting and Expansion
At PhishFort we’ve got a number of internal systems and processes that allow usto fingerprint and identify other websites that are hosting the same phishingkit. This is where it got interesting. We found a couple of LIVE phishing sitesthat haven’t been seen before or blacklisted:
Note the URL above! Luno[.]su was live and ready to be used in the nextcampaign!
Next, another phishing website that was still under construction — AWESOME! Wecaught it early:
In addition, we discovered a number of websites that were in varying states ofoperational, down or already confirmed phishes.
When we find attacks or users report them to us, we act fast. In this case, weblacklisted all of the sites that we found against MetaMask, MyEtherWallet andEtherAddressLookup which in total protects about 1,5million end users and wearen’t reliant on slow moving internet giants to blacklist. Then, we get thesite into Safebrowsing which prevents users of Chrome, Firefox, Safari and Edgefrom accessing the website.
Thanks for reading!