With the news about the Israeli Bancor heist breaking recently (in which cryptocurrencies worth $23.5 million were stolen using a compromised wallet), it’s fairly obvious that the criminal attraction to cryptocurrencies hasn’t been affected by recent dips in the value of currencies like Bitcoin and Ethereum. In order to gain access to cryptocurrency wallets and exchanges, criminals appear to be dusting off every tool in their bag of tricks. In addition to the look-alike webpage phishing technique described below, we are also seeing bogus online ads with website names that use the IDN homograph technique, which involves creating a fake domain name that upon first glance appears very similar to the true domain name; emails that contain promises of discounted cryptocurrencies, only to have the victim download ransomware; the creation of imitation wallets; and bitcoin stealing malware.
Users of UK-based Luno intended victims
The fake Luno site on the left displays a sign-in “Favicon” identical to the actual Luno sign-in page (right)
How to distinguish between the real and fake Luno sites
The first indicator to any potential victim that the page is fake is the URL (below), which is clearly different from the standard Luno login address. In addition, the URL displays a symbol of a padlock with a red line through it. (In contrast to the real Luno URL, which displays a green padlock.) On the Firefox browser, the grey padlock with a red line is an indicator that the site is using only partial encryption and is therefore open to attack. (Google Chrome uses the red triangle instead of a green padlock to indicate that a site is either not secure or dangerous.)
However, assuming the intended victim doesn’t notice the URL, there are a few more indicators that this Luno site isn’t what it appears to be.
- The web page title shows “Sign in | Luno,” however, the sign-in form contains instructions about updating the account (which doesn’t appear on the real Luno page).
- Instead of asking for the user’s Luno account password, the form requests an “Email password.”
Key indicators of the fraudulent Luno page are noted in the request for updated information and the email password.
Fails dummy credentials test
Remember that a standard technique to test the validity of a site is to enter ‘dummy’ credentials (a fake email address and password). A real website would instantly recognize that this login information isn’t registered in their system, and would reject the attempt. However, the spoofed Luno page assumes the email address is real and opens up a new form asking for the Luno account password and phone number.
Finally, after entering the fake information and clicking the Update button, the page actually redirects us to the real Luno website.
The real Luno site only asks for an email address on the initial page and even includes a warning at the top about phishing.
A deeper look at the file contents
The escape encoded file.
The decoded redirect URL using iframe tag.
For the URL redirect of the file detected as HTML/Phish.ACL, the fake site uses Base64 to encode the redirect URL from its body and uses the meta http-equiv tag to proceed with the redirection.
The Base64 encoded redirect URL.
Protect your users from phishing
Regardless of whether the cybercriminal is trying to lure your users to a fake cryptocurrency site or a spoofed Microsoft login site, protecting from phishing—one of the most common crimes against businesses—is critical. Consider deploying a cloud-based email gateway that offers time-of-click URL analysis and protection from business email compromise, as well as a web security gateway to stop attempts to access malicious URLs, new and zero-day malware downloads, and communications with botnet C&C servers.
Indicators of Compromise
Cyren identifies the Luno phishing threat as follows:
[CyrenWebSecurity] Found: BUZZARD2364.GETLARK.HOSTING -> Phishing [Exact Password stealing trojan] HTML/Phish.ACL : 71CD24F925491862AD90FAEB54BC3CED010982C6260F632745D28CA75F79E457 [Exact Password stealing trojan] HTML/Phish.ADT : R.PHPDSAFGDSGHDSGDGDSADSAKJYUDADHJF [Exact Password stealing trojan] HTML/Phish.ADT : SIGNIN.PHP
[CyrenWebSecurity] Found: CURLEW2365.GETLARK.HOSTING -> Phishing [Exact Password stealing trojan] Phish.ADT : 73454F72C47D7B075F68FC4D21F26610281D41B4B357DAF7A02B4369E88BA2D2 [Exact Password stealing trojan] HTML/Phish.ADT : R.PHPSDASFFFD223AS3SGSGSGDDDSG [Exact Password stealing trojan] HTML/Phish.ADT : SIGNIN.PHP
For more information on the security implications of the cryptomining phenomenon for businesses view Cyren’s On-Demand Webinar, “The Downsides and Dangers of Cryptocurrency Mining”.