close
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                            Netskope GovCloud
                            Netskope achieves FedRAMP High Authorization
                            Choose Netskope GovCloud to accelerate your agency’s transformation.
                              Let's Do Great Things Together
                              Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskope Technical Support
                                  Netskope Technical Support
                                  Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                    Netskope video
                                    Netskope Training
                                    Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.

                                      Attackers Continue to Abuse Google Sites and Microsoft Azure to Host Cryptocurrency Phishing

                                      Sep 15 2022

                                      Summary

                                      On August 9, 2022, we released a blog post about a phishing campaign where attackers were abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from different targets, namely Coinbase, MetaMask, Kraken, and Gemini. The attackers were abusing SEO techniques to spread the pages and using advanced techniques to steal data, such as using live chats to interact with victims.

                                      Over the past month, the attackers responsible for the phishing campaign have proven to be resilient to take-downs. Most of the URLs we found in August are still active and the attacker is taking measures to keep the operation online. Furthermore, we found new phishing pages with the same targets disclosed in the initial research, and new phishing pages mimicking Binance, Crypto.com, Gate.io, KuCoin, PancakeSwap, and Shakepay

                                      We found the following target distribution analyzing the URLs hosted on Google Sites:

                                      Graph showing the percentage of phishing targets represented in this research

                                      In this blog post, we will provide a follow up to the blog post we released in August, showing what has changed since then.

                                      How the attack works

                                      1. The victim searches for a cryptocurrency website using specific keywords (e.g. “have MetaMask account”) and the phishing page is displayed first or among the first results.
                                      2. The first phishing page mimics the original website and contains a lot of elements to boost SEO. This stage redirects the victim to another phishing website via links within the page.
                                      3. The second phishing page tries to steal sensitive information, such as the cryptocurrency account credentials or secret recovery phrases.
                                      4. The last page also comes with a live web chat where the attacker interacts with the victim, likely to steal more sensitive data.
                                      Cryptocurrency phishing attack flow summarydiagram

                                      Attacker’s resilience

                                      Analyzing the URLs we found in August, we noticed that over the past month:

                                      1. All of the URLs used in the second stage were taken down;
                                      2. 75% of the first stage URLs remain online, and for those URLs the attacker either:
                                        1. Removed the second stage URL;
                                        2. Added a new online second stage URL.

                                      The Google Sites information banner indicates that the attacker is constantly updating the first stage pages.

                                      Screenshot of. Change history from multiple phishing pages.
                                      Change history from multiple phishing pages.

                                      In summary, the attacker is replacing the Microsoft Azure URLs with new ones to remain operant. Also, in some cases the attacker just removed the offline URL instead of adding a new one, likely to avoid the user being redirected to an offline page that was flagged as phishing while they are working to get another page online.

                                      New targets

                                      Aside from the companies we have previously identified, we found new Google Sites URLs for Binance, Crypto.com, Gate.io, KuCoin, PancakeSwap, and Shakepay

                                      These new URLs all follow the same attack pattern, using Google Sites to mimic the original website. However, only the Crypto.com phishing page contains a second stage URL at this point. All of the other pages were either redirecting the user to the original website being mimicked or not redirecting anywhere. It’s unclear whether the attacker is still developing the second stage for the other targets or if they were already taken down and removed from the page. 

                                      Crypto.com

                                      This phishing page works the same as the others, by mimicking the original website in the first stage, created with Google Sites.

                                      Screenshot of Crypto.com phishing created with Google Sites.
                                      Crypto.com phishing created with Google Sites.

                                      It then redirects the victim to the second stage, hosted with Microsoft Azure Web App, to a page that tries to steal the user’s credentials.

                                      Screenshot of Crypto.com phishing created with Microsoft Azure Web App.
                                      Crypto.com phishing created with Microsoft Azure Web App.

                                      After entering the username and password, the webpage requests the victim’s phone number.

                                      Screenshot of Crypto.com phishing requesting the victim’s phone number.
                                      Crypto.com phishing requesting the victim’s phone number.

                                      After entering the phone number, the page shows a fake error message and asks the victim to contact them via web chat, which is the same behavior found previously.

                                      Screenshot of Crypto.com phishing displaying a fake error message.
                                      Crypto.com phishing displaying a fake error message.

                                      Binance

                                      Below, is an example of a website hosted on Google Sites that mimics Binance.

                                      Screenshot of Website mimicking Binance, following the same phishing pattern.
                                      Website mimicking Binance, following the same phishing pattern.

                                      Gate.io

                                      Below, is an example of a website hosted on Google Sites that mimics Gate.io.

                                      Screenshot of Website mimicking Gate.io, following the same phishing pattern.
                                      Website mimicking Gate.io, following the same phishing pattern.

                                      KuCoin

                                      Below, is an example of a website hosted on Google Sites that mimics KuCoin.

                                      Screenshot of Website mimicking KuCoin, following the same phishing pattern.
                                      Website mimicking KuCoin, following the same phishing pattern.

                                      ShakePay

                                      Below, is an example of a website hosted on Google Sites that mimics ShakePay.

                                      Screenshot of Website mimicking Shakepay, following the same phishing pattern
                                      Website mimicking Shakepay, following the same phishing pattern

                                      PancakeSwap

                                      Below, is an example of a website hosted on Google Sites that mimics PancakeSwap.

                                      Screenshot of Website mimicking PancakeSwap, following the same phishing pattern.
                                      Website mimicking PancakeSwap, following the same phishing pattern.

                                      New URLs, Same Targets

                                      Additionally, we found 66 new Google Sites URLs with the same targets disclosed in the first research, which are Coinbase, MetaMask, Kraken, and Gemini.

                                      We also found a new template used for MetaMask phishing.

                                      Screenshot of MetaMask phishing page created with Google Sites.
                                      MetaMask phishing page created with Google Sites.

                                      The second stage works exactly like the ones we spotted previously, but it’s using a new template as well.

                                      Screenshot of Second stage of MetaMask phishing, hosted with Microsoft Azure Web App.
                                      Second stage of MetaMask phishing, hosted with Microsoft Azure Web App.

                                      The “Import Wallet” button leads to a modal that asks for the secret recovery phrase for MetaMask.

                                      Screenshot of Modal asking for the secret recovery phrase
                                      Modal asking for the secret recovery phrase

                                      The “Sign In” option contains some slight differences compared to the phishing we spotted previously, but it has the same goal of stealing the victim’s credentials.

                                      Screenshot of MetaMask phishing trying to steal user’s credentials.
                                      MetaMask phishing trying to steal user’s credentials.

                                      It also comes with the same live chat feature we previously mentioned, but this time it opens in a popup window.

                                      Screenshot of Popup window with a live chat between the attacker and victim.
                                      Popup window with a live chat between the attacker and victim.

                                      According to the information button provided by Google Sites, this page was likely changed on August 23, 2022.

                                      Conclusions

                                      Based on this additional research, we believe attackers will continue to use this pattern, as they can create multiple accounts in these cloud services and easily replicate the phishing templates using different URLs. Also, by dividing this phishing in two stages (Google Sites and Microsoft Azure), the attackers are creating more resilience, since they can simply replace an offline URL to another one to keep the operation online.

                                      Netskope strongly recommends users to directly access the website they are trying to reach instead of searching or clicking on any links throughout the internet. For organizations, we also recommend the usage of a secure web gateway, capable of detecting and blocking phishing in real time.

                                      Protection

                                      Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators. Netskope Next Gen SWG inspects all HTTP and HTTPS traffic, using a combination of threat intelligence, signatures, heuristics, and machine learning to identify and block phishing pages in real time.

                                      IOCs

                                      First stage URLs

                                      hxxps://sites.google[.]com/crypto-coinexchange.com/geminiexchangee/home

                                      hxxps://sites.google[.]com/cryptocomlog.com/crypto-com-login/home

                                      hxxps://sites.google[.]com/365cryptocurrencies.com/coinbasewallet/home

                                      hxxps://sites.google[.]com/365cryptocurrencies.com/kucoin-logi/

                                      hxxps://sites.google[.]com/365cryptocurrencies.com/kucoinucentersignin/

                                      hxxps://sites.google[.]com/askmewallet.com/binancewalletextension/home

                                      hxxps://sites.google[.]com/askmewallet.com/geminilogin/home

                                      hxxps://sites.google[.]com/askmewallet.com/pancakeswaplogin/home

                                      hxxps://sites.google[.]com/askmewallet.com/shakepaylogin/home

                                      hxxps://sites.google[.]com/askscryptous.com/coinbaselogin/home

                                      hxxps://sites.google[.]com/askscryptous.com/coinbasewallet/home

                                      hxxps://sites.google[.]com/askscryptous.com/geminisignin/home

                                      hxxps://sites.google[.]com/askscryptous.com/metamask-login/home

                                      hxxps://sites.google[.]com/askscryptous.com/metamasklogin/home

                                      hxxps://sites.google[.]com/askscryptous.com/metamasksignin/home

                                      hxxps://sites.google[.]com/askscryptous.com/metamaskwalletlogin/home

                                      hxxps://sites.google[.]com/bitcoinbasepro.com/coinbaselogincom/

                                      hxxps://sites.google[.]com/coinbasecom.org/coinbaselogin/home

                                      hxxps://sites.google[.]com/coinbaseloginn.com/coinbaseloginn/home

                                      hxxps://sites.google[.]com/coinbselogin.com/coinbaselogin/home

                                      hxxps://sites.google[.]com/coindesklogin.com/coinbase-wallet/home

                                      hxxps://sites.google[.]com/coinlogins.com/coinbase-down/home

                                      hxxps://sites.google[.]com/coinsprologin.com/coinbasewallet-login/home

                                      hxxps://sites.google[.]com/crypto-coinexchange.com/binance-exchange/home

                                      hxxps://sites.google[.]com/crypto-coinexchange.com/coinbaseexchange/home

                                      hxxps://sites.google[.]com/crypto-coinexchange.com/krakenexchange/home

                                      hxxps://sites.google[.]com/crypto-coinwallet.com/coinbase-wallet/home

                                      hxxps://sites.google[.]com/crypto-coinwallet.com/coinbasewallet/home

                                      hxxps://sites.google[.]com/crypto-coinwallet.com/geminiwallet/home

                                      hxxps://sites.google[.]com/crypto-coinwallet.com/metamask-wallet/home

                                      hxxps://sites.google[.]com/cryptobitwallets.com/metamasksignin/home

                                      hxxps://sites.google[.]com/cryptobitwallets.com/metamaskwallet/home

                                      hxxps://sites.google[.]com/cryptocom-login.com/cryptocomloginin/home

                                      hxxps://sites.google[.]com/cryptocomlog.com/cryptocom-login/home

                                      hxxps://sites.google[.]com/cryptologn.com/coinbaseprologin

                                      hxxps://sites.google[.]com/cryptologn.com/coinbasewallet/

                                      hxxps://sites.google[.]com/cryptologn.com/metamasksignin

                                      hxxps://sites.google[.]com/cryptowalletbit.com/blockfi-wallet/home

                                      hxxps://sites.google[.]com/cryptowalletsusa.com/metamasklogin/home

                                      hxxps://sites.google[.]com/cryptowalletts.com/pancake-swap/home

                                      hxxps://sites.google[.]com/csscrypton.com/crypto-login/home

                                      hxxps://sites.google[.]com/ecryptowalletpay.com/coinbase-wallet-login/home

                                      hxxps://sites.google[.]com/gateiolog.com/gateiologin/home

                                      hxxps://sites.google[.]com/kucoin-log.com/kucoinlogini/home

                                      hxxps://sites.google[.]com/kucoinguide.com/kucoinlogin/

                                      hxxps://sites.google[.]com/kucoinguide.com/kucoinloginsignin/

                                      hxxps://sites.google[.]com/metaipmasklogin.com/metamasklogin/home

                                      hxxps://sites.google[.]com/metamamk.com/metamask-log-in/home

                                      hxxps://sites.google[.]com/metamask-ios.com/metamask-extensions/home

                                      hxxps://sites.google[.]com/metamask-ios.com/metamask-login/home

                                      hxxps://sites.google[.]com/metamask-ios.com/metamaskextension/home

                                      hxxps://sites.google[.]com/metamask-ios.com/metamaskloginin/home

                                      hxxps://sites.google[.]com/metamask-ios.com/metamasksigninn/home

                                      hxxps://sites.google[.]com/metamask-log.com/metamask-login/home

                                      hxxps://sites.google[.]com/metamask-log.com/metamask-signin/home

                                      hxxps://sites.google[.]com/metamask-log.com/metamasklogin/home

                                      hxxps://sites.google[.]com/metamask-log.com/metamasksignin/home

                                      hxxps://sites.google[.]com/metamaskexts.com/metamasklogin/home

                                      hxxps://sites.google[.]com/metamaskexts.com/metamaskloginn/home

                                      hxxps://sites.google[.]com/metamaskios.com/metamask-login/home

                                      hxxps://sites.google[.]com/metamaskios.com/metamasksignin/home

                                      hxxps://sites.google[.]com/metamaskios.com/metamaskwallet/home

                                      hxxps://sites.google[.]com/metanimasklogin.com/metamasklogin/home

                                      hxxps://sites.google[.]com/metanimasklogin.com/metamasksignin/home

                                      hxxps://sites.google[.]com/metmasklogin.com/metamask-extension/home

                                      hxxps://sites.google[.]com/metmasklogin.com/metamask-login/home

                                      hxxps://sites.google[.]com/metmasklogin.com/metamaskio-wallet/home

                                      hxxps://sites.google[.]com/metmsk-logi.com/metamasksignin/home

                                      hxxps://sites.google[.]com/meutmask-log.com/metamaskwallet/home/

                                      hxxps://sites.google[.]com/mynewcoins.com/metamasklogin/home

                                      hxxps://sites.google[.]com/myprowallets.com/metamask-extension/home

                                      hxxps://sites.google[.]com/usacoinlogin.com/metamasksignin/home/

                                      hxxps://sites.google[.]com/view/coinbasewallett/home

                                      hxxps://sites.google[.]com/view/gemini-login-usa/

                                      hxxps://sites.google[.]com/view/gemini-login-usa/home

                                      hxxps://sites.google[.]com/view/geminiexchangee/

                                      hxxps://sites.google[.]com/view/geminiwallet/

                                      hxxps://sites.google[.]com/view/metamask-extention/home

                                      hxxps://sites.google[.]com/view/metamaskloginwallet

                                      hxxps://sites.google[.]com/view/metamaskwalletloginus/

                                      hxxps://sites.google[.]com/view/metamaskwallt/home

                                      Second stage URLs

                                      hxxps://caerytos-log.azurewebsites[.]net/

                                      hxxps://cetryeyptos-log.azurewebsites[.]net/

                                      hxxps://coainasbe-log.azurewebsites[.]net/

                                      hxxps://coianasbe-wkalle.azurewebsites[.]net/

                                      hxxps://coinasnbe-walle.azurewebsites[.]net/

                                      hxxps://coinnbass-log.azurewebsites[.]net/

                                      hxxps://crytpeios-log.azurewebsites[.]net/

                                      hxxps://gemnminin-log.azurewebsites[.]net/

                                      hxxps://krakaken-log.azurewebsites[.]net/

                                      hxxps://maataamaask.azurewebsites[.]net/

                                      hxxps://mamametamask-walle.azurewebsites[.]net/

                                      hxxps://metidismakskklo.azurewebsites[.]net/

                                      hxxps://mmetatasamask-log.azurewebsites[.]net/

                                      hxxps://mmetatsamasks-walle.azurewebsites[.]net/

                                      author image
                                      Gustavo Palazolo
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.

                                      Stay informed!

                                      Subscribe for the latest from the Netskope Blog