Our early warning systems recently detected a spike in Binance related attacks.Our analysts investigated the spate of attacks to better understand what was happening behind the scenes and to get an idea of the impact of the attack.

The Red Flags

Binance is one of the most popular brands in the crypto world, and has are putation for being charitable and financially rewarding their users. This unfortunately means that they land up getting heavily targeted by trust trading scams. We recently found a phishing kit that was being aggressively deployed to target Binance users. Over the course of a few weeks, we detected multiple domains that were involved in the hosting of the kit, including:

• binancefund[.]net
• binanceforce[.]com
• binanceforce[.]net
• promovalue[.]net
• binancevent[.]net
• binancebegin[.]com
• binancegiveaway[.]top

The kit advertised a free giveaway of BTC hosted by Binance with no details on why the giveaway was being done. The site did a convincing job of imitating the look and feel of the new Binance brand to coax users into thinking it was a legitimate Binance program.

The modus operandi was a typical trust trading scam, where victims are encouraged to send crypto to an attacker with the promise of receiving more crypto back. This kit in particular purported to return 10x the amount of BTC sent to the attacker back to the victim. The attacker further incentivized the victim to send more than 5 bitcoin by promising double the reward — almost sounds too good to be true.

An attack of this nature would typically be propagated through existing bot networks, on Telegram, Twitter, Reddit, or other social networks popular with the crypto community. This means that once an attacker has configured their kit and established their bot network, the cost of the attack is relatively low from that point on. The remaining steps include purchasing a domain name and hosting, and setting up an SSL certificate. The low cost of the attack is part of the reason this style of attack is so rampant within the crypto space.

Analysis of the Kit

The attacker included a QR code that could conveniently be scanned by victims in order to send bitcoin payments. In this instance, the attacker used Google APIs to generate the QR code.

The phishing page also included an animation bar that indicated the amount of bitcoin left in the giveaway, giving the user a sense of urgency. Below the status bar, there was a table of fake real-time transactions, giving the impression that people who were participating in the program were actually receiving their funds.

The transactions were hardcoded into the HTML of the page, so the transactions were obviously all fake.

The kit contacted 9 IPs in 2 countries across 7 domains to perform 24 HTTP transactions. The TLS certificates were issued by Let’s Encrypt and valid for 3months. The domains were created in July 2019 and the domain registrars includedNameCheap and nic.ru.

The kits did not use a consistent wallet, which meant that either the attacks were being conducted by different attackers or the attacker was trying to avoid analysis or blacklisting. Given how close the attacks were conducted to each other, the latter seems more likely. At the time of writing, the attacker addresses had received over 0.2 BTC (~$2,000) cumulatively. The bulk of the funds had been received by 1Bn9D8yf6YtuA94T6Rhz1KbR6Kxr5p8dMy.

As this style of attack has proven to be largely profitable for attackers, we expect that they will continue to increase in frequency. Fighting phishing is a relentless battle, and companies need to actively defend against it in order to raise the cost of conducting attacks to deter phishers from targeting their brand.

IOCs

Primary BTC address

1Bn9D8yf6YtuA94T6Rhz1KbR6Kxr5p8dMy

Domains

binancefund[.]net

binanceforce[.]com

binanceforce[.]net

promovalue[.]net

binancevent[.]net

binancebegin[.]com

binancegiveaway[.]top

Contact Us

Follow us at @phishfort for more on how to defend yourself online or install our browser pluginProtect for real-time protection from attacks.