Back

Phishing Enumeration | Understanding a Crypto Phishing Attack

Phishing Enumeration | Understanding a Crypto Phishing Attack

This is a brief exploration of an attack that surfaced one night and was reported on twitter against a user of the Cryptocurrency exchange Luno. We used information we obtained through the phishing kit to discover several other attacks against the exchange. Disclaimer: we currently have no affiliation with Luno.

Phishing Detection

In the best case, you hope that you’ll find phishing attacks against your user base before they even launch. In the event that you don’t manage to, your users become your first line of defense and if they’re well educated on phishing, will hopefully report this to you. In this case, a technologically savvy Twitter userreported the attack:

Example of SMS phishing message used to target Luno exchange users
SMS based Phishing

In this case, it came through an SMS based phishing attack. Often attackers obtain potential victims details by scrapingnumbers from crypto related forums or by compromising a vendor in the supply chain, forexample a marketing company which may require email and mobile numbers of users to send out marketing campaigns. Thus, they are a prime target for attackers.

The Attack

After following the link sent in the SMS, it takes the user to this page:

Clone of Luno sign-in page used in phishing attack to steal user credentials
A fairly standard clone of the Luno.com website

**Note the URL! **Nothing fancy here — a standard clone of the Luno sign inpage. Normally, attackers use off the shelf tools such as HTTrack to createthese and then do some backend work to collect email addresses and passwords touse later.

Fake Lunno URL in hishing website, mimicking legitimate cryptocurrency exchange for fraud
Submitting credentials sends these to the server backend

After submitting credentials to the phishing website, the victim is redirectedto the **legitimate **luno website. This is a common tactic used by scammers toensure that users don’t realise that they’ve been phished.

Phishing attack workflow redirecting victim to real Luno site after stealing credentials
The final part of the workflow, a redirect to the legitimate site.

Users tend to assume that they incorrectly entered their password or that there was a some kind of bug with the sign in process. The user tried to login again after being redirected to the legitimate site and voila! It works. They think nothing is wrong and continue as normal.

Fingerprinting and Expansion

At PhishFort we’ve got a number of internal systems and processes that allow usto fingerprint and identify other websites that are hosting the same phishing kit. This is where it got interesting. We found a couple of LIVE phishing sitesthat haven’t been seen before or blacklisted:

PhishFort's phishing detection and enumeration process used to identify live phishing sites
Luno.su

Note the URL above! Luno[.]su was live and ready to be used in the nextcampaign!

Next, another phishing website that was still under construction — AWESOME! We caught it early:

Phishing site in development targeting Luno users with credetial-stealing tactics

In addition, we discovered a number of websites that were in varying states ofoperational, down or already confirmed phishes.

https://luno-co[.]xyz

https://lunobtc[.]trade

https://lunobtc[.]trade/

https://luno-upgrade[.]com

https://luno-official[.]com/

https://luno-upg[.]com

https://luno-web[.]com

https://luno-official[.]com

Blacklisting

When we find attacks or users report them to us, we act fast. In this case, weblacklisted all of the sites that we found against MetaMask, MyEtherWallet andEtherAddressLookup which in total protects about 1,5million end users and wearen’t reliant on slow moving internet giants to blacklist. Then, we get thesite into Safebrowsing which prevents users of Chrome, Firefox, Safari and Edgefrom accessing the website.

Want to learn more about how to keep your brand and customers safe?

PhishFort in one of the global leaders in the crypto space to safeguard businesses. Read more about our Brand Protection Services here, and contact us for any questions! We love to help.

Ensure your brand security and protect your business from attacks, starting today

Our advanced technology detects and takes down phishing websites, mobile app clones, and fake social media content.