A Tale of Two Phishes

Research produced in conjunction with Oliver Hough.

Binance is one of the world’s largest cryptocurrency exchanges so it’s no surprise that often criminals target Binance accounts in their phishing campaigns, but not all phishing kits are created equal. In this post we will take you through two kits we have recently seen deployed in the wild.

Finally we will look into the spread of domains used in various campaigns and the networks used to host these kits.

Simple Fake Login

On shadier markets you can purchase a fake login phishing kit themed with almost any organisation including dating sites, banks, email providers and currency exchanges all for a few dollars. These kits are usually written in PHP and often come with the following:

• Cloned login page of the kits theme organisation.
• Configuration file to define where to send the stolen credentials and any other options.
• Pre-populated blacklist of known law enforcement, malware analysis labs and other ‘bad’ IP ranges.

Let’s take a look at simple Binance fake login kit and how it works.

We are presented with a Binance login box complete with a warning telling us to check that we are on the real login page (we are not), we assume this is left there as it has been a part of real login page for so long that the fake page would look suspect without it. Users are used to seeing it when they log in, and surly if this wasn’t real they wouldn’t show it, right? Wrong, here they are playing on what the user is used to seeing, it adds legitimacy.

Once we fill out our login details we are sent on quite an odd journey.

The first place we end up is at a Binance themed form asking for some more information, such as our full name, email address and phone number.

After filling this out, no matter what email we enter ¯_(ツ)_/¯ we are sent to a fake Yahoo login page asking again for our email and password. At this point we know the actor is only interested in targeting a certain subset of Binance users that also use Yahoo mail.

Once we fill out our login details again we are taken to a Yahoo 2FA page asking for our authentication token, note this is not an SMS token, this is a 2FA code from the Yahoo Authenticator app. Interestingly, our actor also doesn’t want to target users of SMS 2FA.

After filling in our token we are redirected again, this time back to the Binance themed form, requesting a Google Authenticator token.

Ok so now we know what our actors target demographic is;

• Binance user
• Yahoo Mail user
• Uses Yahoo Authenticator app
• Uses Google Authenticator / Authy

Once we enter the Google Auth token we are taken to a loading page that waits a few seconds and then takes us back to the token prompt.

The backend has forwarded the authentication details to each service and collected the authentication cookies. The actor now has everything they need to access our Binance account and deal with any pesky confirmation emails they may need to navigate while draining our hard earned currency.

Fake Login — The Next Generation

Let’s now take a look at kit we saw deployed only a few days ago. Visually it looks almost exactly the same as the previous kit but it is much more intelligent.

First we are presented with the same landing page as the previous kit and we enter our credentials. Now instead of being sent to a page asking for more information or a static email provider page, we are sent to a page advising us to wait.

Under the hood we see something very strange going on, a set of HTTP GET and POST requests continually looping.

Digging into the javascript included in the page we found that the page is waiting for a certain JSON response, then depending on the response we are redirected to the next step.

There are many different values that can be returned in the results.status variable and depending on that value, we are taken to Gmail, Yahoo, Outlook, Yandex, Mail.com or Naver themed pages. We’ll take this journey as a Gmail user with SMS 2FA enabled.

We are prompted for our Gmail credentials, once we enter our password and click next we are redirected back to the “wait” page. This is presumably to give the backend time to check if 2FA is required. This is when things get smart.

The following diagram should help visualise the entire process.

As we are obviously not entering valid credentials we had to intercept the responses and alter them to trigger the next steps. The backend will check if SMS 2FA is required, if true then it prompts us for our phone number, if not it moves on to the final stage.

Once we enter our phone number we are again taken back to the “wait” page while the backend triggers an SMS from Google. Once done we are taken to a page to capture the SMS 2FA code.

We enter the code and we are taken back to the “wait” page once again. The backend presumably now has an authentication cookie for our Google account.

Next the backend checks if our Binance account has SMS 2FA enabled, if so we are directed to another page asking for the SMS 2FA code that the backend has just triggered sending to our phone.

Once this final code has been entered we are taken back to the “wait” page. If everything has gone well we are finally redirected to the real Binance homepage.

This kit is much more advanced, supports multiple email providers and is able to trigger SMS 2FA codes than the first example. The kit can also handle security questions and authenticator app tokens for multiple email providers. There is also a “blocked” status that will simply trigger a redirect to the real Binance homepage.

While looking through other JavaScript functions that look unfinished we noticed there seems to be a JavaScript keylogger presumably to capture 2FA codes more quickly without the victim even clicking the submit button. The keylogger ignores most characters except numbers, space, backspace and tab.

Another interesting feature is this kit includes a web based administration panel at /admin disguised as a 404 not found page.

Observed Domains

We took a sample of roughly 500 phishing domains targeting Binance. The sample did not include compromised websites being leveraged to host phishing pages but rather domains registered specifically to impersonate Binance.

As expected the most spotted TLDs are .ga (140) .ml (114) .com (97) .cf (67) and .gq (51)

This fits the pattern of most campaigns as with the exception of .com the other TLDs are free to register thus are essentially disposable.

Looking at the domains that still resolved to something other than an error page we see a clear winner (AS22612 — Namecheap)

This again is quite a common sight as it has become a go to choice for phishing campaigns due to budget hosting rates and instant setup as well as built in WHOIS privacy protection. From the sample we took, no other hosting provider came close, though in the past we have seem similarly high numbers for GoDaddy, Unified Layer and Hostinger International all of which offer affordable web hosting packages.

In conclusion we see that while phishing kits are becoming more advanced and we will surely see far more advanced kits being deployed in the future, criminals still gravitate towards free domains and budget hosting, which for us makes it far easier to monitor activity and react before any real damage is done.

If you need help combating phishing at your organization, please reach out to us at hello@phishfort.com. We’d love to help!