Aussie cryptocurrency investors are falling victim to fake websites mimicking popular crypto services.
Threat Research Engineer from Netskope, Gustavo Palazolo, told news.com.au of a rising global cryptocurrency ruse which is catching out Australians among other investors across the world.
He explained attackers are stealing crypto funds through fake websites which look similar to the real websites used by popular crypto exchanges and wallets.
The scam sites are made worse with search engine optimisation (SEO) methods adding to their apparent legitimacy.
“Attackers have been creating phishing pages in Google Sites and Microsoft Azure Web App to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini,” Mr Palazolo said.
“In addition, they are adding resources to improve the position of these phishing pages on Google, so that when people search for crypto exchanges, they appear in the first results and get traffic.
“When trying to login or import an existing wallet, victims are exposed to a phishing page that requires the login or wallet details that attackers then use to steal the crypto funds. “Attackers also try to communicate with the victims through a live web chat in these fake pages, with the aim to gather additional data required to steal the crypto funds.”
Mr Palazolo said the attacks, known as ‘social engineering’, have become good at abusing search engines like Google and Bing to spread malicious links or documents.
“A research published by Netskope Threat Labs shows that in the past financial year, there was a sharp increase in the volume of PDF files downloaded from popular search engines and that are used to redirect victims to phishing, scam, and malware,” Mr Palazolo said.
Aussie traders at risk
With an estimated 17 per cent of Australians owning some sort of cryptocurrency, Mr Palazolo believes a Australians are not spared the risk.
“These techniques have proven equally effective around the globe, he said.
“The fake pages listed in this research show up in search results in www.google.com.au the same way they do for other regionalised versions of the search engine. In other words, these phishing pages are targeting victims around the world.”
Popular crypto services in Australia include Binance, Coinbase, Crypto.com, Kraken and Gate.io, all of which are “actively phished” according to the researcher.
Sites in the crosshairs
Mr Palazolo said attackers responsible for the phishing campaign have proven to be resilient to countermeasures.
“Most of the URLs we found in August are still active and the attacker is taking measures to keep the operation online,” he said.
“Furthermore, we found new phishing pages with the same targets disclosed in the initial research, and new phishing pages mimicking Binance, Crypto.com, Gate.io, KuCoin, PancakeSwap, and Shakepay.”
• Pancake Sway
How the attacks work
The victim searches for a cryptocurrency website using specific keywords (e.g. “have MetaMask account”) and the phishing page is displayed first or among the first results.
The phishing page mimics the original website and contains a lot of elements to boost SEO. It then redirects the victim to another phishing website via links within the page.
The second phishing page tries to steal sensitive information, such as the cryptocurrency account credentials or secret recovery phrases.
The last page also comes with a live web chat where the attacker interacts with the victim and will attempt to steal more sensitive data.
Keeping your Crypto safe
Mr Palazolo believed that attackers will continue to use this method in upcoming months as the way the fake pages are designed makes them very easy to replicate as soon as they are taken down.
“Attackers can easily maintain their operations,” he warned.
As for avoiding the dodgy sites, direct navigation to your provider is key.
“We encourage individuals to never enter or give logins after clicking on a link,” he said.
“Instead, always navigate directly to the website you are trying to log into.
“This is especially true for financial transactions. Individuals should also use multi-factor authentication to access their accounts, which is a combination of authentication methods.
“For example a password and a verification code sent to a mobile phone, or generated in an authenticator app.
“On their ends, organisations should use a secure web gateway capable of detecting and blocking phishing in real-time.”