RedSocks Security’ new serie of blogs brings you into a 24-hour investigation of phishing campaigns. This week, our analysts have observed an Ethereum phishing campaign which promises free ethereums. We have analyzed and researched this campaign. Take a dive with us into the world of Ethereum phishings attacks.
Investigation timeframe:Tuesday, July 14th2pm – Wednesday, July 25th11am
What is Ethereum ?
Ether or Ethereum (ETH) is a cryptocurrency whose blockchain is generated by a decentralized and open-source platform for applications. Its key features include smart contracts used for crowd funded projects and tokens, It is known as a highly collaborative platform.
The Ethereum cryptocurrency is ranked second, behind Bitcoin, in the cryptocurrency market with a Market Cap of $47,591,887,588 (coinmarketcap.com).
Ethereum and cybercrime
As the attractivity and value of cryptocurrencies has risen in the past two years, so did their appeal to (cyber) criminals. The first major documented attack on Ethereum occured in June 2016, as a result of the exploitation of a vulnerability in the DAO (Decentralized Autonomous Organisation, used for investment). According to Chainanalysis, the revenue of cybercrime on Ethereum had a total reach of $225million in August 2017, phishing representing 50% of the attacks.
Financial gain appears to be the main motivation. Criminals have indeed shifted to frauds on cryptocurrencies, as it has become more profitable and easy than to operate with ransomware.
This investigation has shown multiple reports of phishing links holding for purpose to receive money from deceived users. The main scheme observed offers a special give away. To receive the prize, the target must verify his mail address by transferring a small amount of Ethereum tokens.
A recurrent trend was observed with domain names referring to ‘medium’ on the .top top level domain (TLD), possibly referring to the blog. Other links referred to specialized crypto apps, happening to be fraudulent, while others hijacked legitimate sites, promising airdrops. Airdrops, in the world of cryptocurrencies are distribution of free tokens, mostly for marketing purposes. Eventually, we observed that influential people like Elon Musk were being used in the campaign to trigger unaware users into taking action.
Most of these campaigns rely on the use of social media, using twitter accounts to promote the offer or the app. This practice raises the level of credibility to the eye of the users but also its capacity to spread. The tweets are often picked up by automated processes which will continue to share them on the web. Some of the tweets get archived, some of them appear on legitimate websites which do not perform in-depth research on the information they share.
The campaigns investigated were spotted within the past twenty-four hours; yet, these practices have been seen before and do not seem to bring any innovation in the process.
Technical description of some examples:
- The classic frame
IP address: 220.127.116.11
Comment:this campaign uses the common frame observed in this investigation: it requires the user to transfer a small amount of ether to verify an address. This amount is promised to be multiplied. A marketing psychological trick is used to raise urgency in the user’s mind: the bottom bar rapidly decreases to represent the amount left to offer.
This frame has been seen with the following URLs: eth.mediumpromo.top/
- Brand hijack
IP address: 18.104.22.168
Comment:this campaign hijacks the brand identity of Electroneum, a mobile-based cryptocurrency.
IP address: 22.214.171.124
Comment:this campaigns hijacks the brand identity of Binance, a blockchain ecosystem. A fraudulent twitter page has been active since 2010 and is now promoting the offer. Another URL redirects to the same type of hijack: https://ethersearch.app. A twitter page has been created on the name of the app ‘ Ether search’, probably to increase credibility. The twitter page has as of July 25th2,400 followers with a high rate of legitimate users (93%).
- ID Hijack
Several campaigns like the following one hijack a personality giving away large amounts.
IP address: 126.96.36.199 (same server as above)
Comment:This process on Elon Musk has already been seen before.
The investigation shows basic and recycled strategies are used by cybercriminals to obtain financial gains. The popularity of cryptocurrencies among users and the urgency brought both by the fraudulent offers and the variability of the currency make perfect psychological tricks for phishing campaigns.
Looking forward to our next 24-hour investigation?
Follow us on Social Media!