Here we encountered some google ads when trying to search for “Ronin Wallet”. Ronin is the digital wallet used in the game if you want start playing.
Figure 1. Search results for “Ronin Wallet”.
Figure 2. Top ad result points to hxxp://account.roninwallet[.]usOnce you click the link on the ad, it will redirect you to hxxps://roninwallet[.]net/app/. The landing page looks exactly like the legitimate Ronin wallet browser extension page.
Figure 3. Fake Ronin Wallet page.
Figure 4. Legitimate Ronin Wallet Chrome extension page.Since the phishing page mimics the functionality of the legitimate ronin wallet, the process of creating and importing a wallet is just like the legitimate one. If a victim tries to create a new wallet, a wallet will be created on the legitimate website. We tried to create a wallet on the fake page and verify it on the legitimate site and it indeed created one.
Figure 5. Fake Create a New Wallet pageCreating a new wallet will require the account owner to transfer funds from their own cryptocurrency accounts, which means there is less of a chance for the threat actor to steal cryptocurrency immediately. Crypto currency wallets are locked using a seed/secret phrase, allowing wallet owners to import their wallets from other devices, such as a mobile phone, or another computer using either a mobile app version of the wallet or a browser extension. This feature, though very convenient, makes the wallet owners more vulnerable because importing an existing wallet may mean that the wallet already contains crypto currencies that the threat actors can steal.
Understand what it takes to detect and respond to targeted phishing attacks on Office 365 in real-time.Read the Playbook
Figure 6. Inspection view of the Legitimate Ronin Wallet extension page.
Figure 7. Inspection view of the fake Ronin wallet seed import page.Below is an excerpt of the script used in the fake page for importing a ronin wallet, which redirects the victim to https://skymavis.com once the ronin wallet seed phrase has been successfully entered. This tricks the user into believing that the form in use is from the legitimate Ronin developer.