Netskope wurde im Gartner Magic Quadrant für Security Service Edge 2022 als führendes Unternehmen ausgezeichnet. Report abrufen.

  • Produkte

    Netskope-Produkte basieren auf der Netskope Security Cloud.

  • Plattform

    Unübertroffene Transparenz und Daten- und Bedrohungsschutz in Echtzeit in der weltweit größten privaten Sicherheits-Cloud.

Netskope wurde 2022 zum Marktführer im Gartner Magic Quadrant™ for SSE Report ernannt

Report abrufen Netskope Produktübersicht
Netskope führend bei SSE in Gartner MQ 2022

Netskope bietet einen modernen Cloud-Security-Stack mit vereinheitlichten Funktionen für Daten- und Bedrohungsschutz sowie sicherem privaten Zugriff.

Erkunden Sie unsere Plattform
Städtische Metropole aus der Vogelperspektive

Steigen Sie auf marktführende Cloud-Security Service mit minimaler Latenz und hoher Zuverlässigkeit um.

Mehr Informationen
Beleuchtete Schnellstraße mit Serpentinen durch die Berge

Verhindern Sie Bedrohungen, die häufig anderen Sicherheitslösungen entgehen, mithilfe eines SSE-Frameworks mit single-pass Architektur

Mehr Informationen
Gewitter über einem Großstadtgebiet

Zero-Trust-Lösungen für SSE- und SASE-Deployments

Mehr Informationen
Bootsfahrt auf dem offenen Meer

Netskope ermöglicht einen sicheren, cloudintelligenten und schnellen Weg zur Einführung von Cloud-Diensten, Apps und Public-Cloud-Infrastrukturen.

Mehr Informationen
Windkraftanlagen entlang einer Klippe
  • Customer Success

    Sichern Sie Ihren Weg zur digitalen Transformation und holen Sie das Beste aus Ihren Cloud-, Web- und privaten Anwendungen heraus.

  • Kunden-Support

    Proaktiver Support und Engagement zur Optimierung Ihrer Netskope-Umgebung und zur Beschleunigung Ihres Erfolgs.

  • Schulung und Zertifizierung

    Netskope-Schulungen helfen Ihnen ein Experte für Cloud-Sicherheit zu werden.

Vertrauen Sie darauf, dass Netskope Sie bei dem Schutz vor neuen Bedrohungen, neuer Risiken und technologischer Veränderungen unterstützt. Ebenso bei organisatorischen sowie Compliance Anforderungen.

Mehr Informationen
Lächelnde Frau mit Brille schaut aus dem Fenster

Wir verfügen weltweit über qualifizierte Ingenieure mit unterschiedlichem Hintergrund in den Bereichen Cloud-Sicherheit, Netzwerke, Virtualisierung, Inhaltsbereitstellung und Softwareentwicklung, die bereit sind, Ihnen zeitnahe und qualitativ hochwertige technische Unterstützung zu bieten.

Mehr Informationen
Bärtiger Mann mit Headset arbeitet am Computer

Mit Netskope-Schulungen können Sie Ihre digitale Transformation absichern und das Beste aus Ihrer Cloud, dem Web und Ihren privaten Anwendungen machen.

Mehr Informationen
Gruppe junger Berufstätiger bei der Arbeit
  • Ressourcen

    Erfahren Sie mehr darüber, wie Netskope Ihnen helfen kann, Ihre Reise in die Cloud zu sichern.

  • Blog

    Erfahren Sie, wie Netskope die Sicherheits- und Netzwerktransformation durch Security Service Edge (SSE) ermöglicht.

  • Veranstaltungen& Workshops

    Bleiben Sie den neuesten Sicherheitstrends immer einen Schritt voraus und tauschen Sie sich mit Gleichgesinnten aus

  • Security Defined

    Finden Sie alles was Sie wissen müssen in unserer Cybersicherheits-Enzyklopädie.

Security Visionaries Podcast

Bonus-Episode: Die Bedeutung von Security Service Edge (SSE)

Podcast abspielen
Dunkelhäutiger Mann in einer Webkonferenz

Lesen Sie die neuesten Informationen darüber, wie Netskope die Zero Trust- und SASE-Reise durch Security Service Edge (SSE) -Funktionen ermöglichen kann.

Den Blog lesen
Sonnenaufgang und bewölkter Himmel

SASE-Week

Netskope hilft Ihnen dabei, Ihre Reise zu beginnen und herauszufinden, wo Sicherheit, Netzwerk und Zero Trust in die SASE-Welt passen.

Mehr Informationen
SASE-Week

Was ist Security Service Edge?

Entdecken Sie die Sicherheitselemente von SASE, die Zukunft des Netzwerks und der Security in der Cloud.

Mehr Informationen
Kreisverkehr mit vier Straßen
  • Unternehmen

    Wir helfen Ihnen, den Herausforderungen der Cloud-, Daten- und Netzwerksicherheit einen Schritt voraus zu sein.

  • Warum Netskope?

    Cloud-Transformation und hybrides Arbeiten haben die Art und Weise verändert, wie Sicherheit umgesetzt werden muss.

  • Unternehmensführung

    Unser Führungsteam ist fest entschlossen, alles zu tun, was nötig ist, damit unsere Kunden erfolgreich sind.

  • Partner

    Unsere Partnerschaften helfen Ihnen, Ihren Weg in die Cloud zu sichern.

Netskope ermöglicht das "neue" Arbeiten

Finde mehr heraus
Kurvige Straße durch ein Waldgebiet

Netskope definiert Cloud-, Daten- und Netzwerksicherheit neu, um Unternehmen dabei zu unterstützen, Zero-Trust-Prinzipien zum Schutz von Daten anzuwenden.

Mehr Informationen
Serpentinenstraße auf einer Klippe

Denker, Architekten, Träumer, Innovatoren. Gemeinsam liefern wir hochmoderne Cloud-Sicherheitslösungen, die unseren Kunden helfen, ihre Daten und Mitarbeiter zu schützen.

Lernen Sie unser Team kennen
Gruppe von Wanderern erklimmt einen verschneiten Berg

Die partnerorientierte Markteinführungsstrategie von Netskope ermöglicht es unseren Partnern, ihr Wachstum und ihre Rentabilität zu maximieren und gleichzeitig die Unternehmenssicherheit an neue Anforderungen anzupassen.

Mehr Informationen
Gruppe junger, lächelnder Berufstätiger mit unterschiedlicher Herkunft
Blog Threat Labs Attackers Continue to Abuse Google Sites and Microsoft Azure to Host Cryptocurrency Phishing
Sep 15 2022

Attackers Continue to Abuse Google Sites and Microsoft Azure to Host Cryptocurrency Phishing

Summary

On August 9, 2022, we released a blog post about a phishing campaign where attackers were abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from different targets, namely Coinbase, MetaMask, Kraken, and Gemini. The attackers were abusing SEO techniques to spread the pages and using advanced techniques to steal data, such as using live chats to interact with victims.

Over the past month, the attackers responsible for the phishing campaign have proven to be resilient to take-downs. Most of the URLs we found in August are still active and the attacker is taking measures to keep the operation online. Furthermore, we found new phishing pages with the same targets disclosed in the initial research, and new phishing pages mimicking Binance, Crypto.com, Gate.io, KuCoin, PancakeSwap, and Shakepay

We found the following target distribution analyzing the URLs hosted on Google Sites:

Graph showing the percentage of phishing targets represented in this research

In this blog post, we will provide a follow up to the blog post we released in August, showing what has changed since then.

How the attack works

  1. The victim searches for a cryptocurrency website using specific keywords (e.g. “have MetaMask account”) and the phishing page is displayed first or among the first results.
  2. The first phishing page mimics the original website and contains a lot of elements to boost SEO. This stage redirects the victim to another phishing website via links within the page.
  3. The second phishing page tries to steal sensitive information, such as the cryptocurrency account credentials or secret recovery phrases.
  4. The last page also comes with a live web chat where the attacker interacts with the victim, likely to steal more sensitive data.
Cryptocurrency phishing attack flow summarydiagram

Attacker’s resilience

Analyzing the URLs we found in August, we noticed that over the past month:

  1. All of the URLs used in the second stage were taken down;
  2. 75% of the first stage URLs remain online, and for those URLs the attacker either:
    1. Removed the second stage URL;
    2. Added a new online second stage URL.

The Google Sites information banner indicates that the attacker is constantly updating the first stage pages.

Screenshot of. Change history from multiple phishing pages.
Change history from multiple phishing pages.

In summary, the attacker is replacing the Microsoft Azure URLs with new ones to remain operant. Also, in some cases the attacker just removed the offline URL instead of adding a new one, likely to avoid the user being redirected to an offline page that was flagged as phishing while they are working to get another page online.

New targets

Aside from the companies we have previously identified, we found new Google Sites URLs for Binance, Crypto.com, Gate.io, KuCoin, PancakeSwap, and Shakepay

These new URLs all follow the same attack pattern, using Google Sites to mimic the original website. However, only the Crypto.com phishing page contains a second stage URL at this point. All of the other pages were either redirecting the user to the original website being mimicked or not redirecting anywhere. It’s unclear whether the attacker is still developing the second stage for the other targets or if they were already taken down and removed from the page. 

Crypto.com

This phishing page works the same as the others, by mimicking the original website in the first stage, created with Google Sites.

Screenshot of Crypto.com phishing created with Google Sites.
Crypto.com phishing created with Google Sites.

It then redirects the victim to the second stage, hosted with Microsoft Azure Web App, to a page that tries to steal the user’s credentials.

Screenshot of Crypto.com phishing created with Microsoft Azure Web App.
Crypto.com phishing created with Microsoft Azure Web App.

After entering the username and password, the webpage requests the victim’s phone number.

Screenshot of Crypto.com phishing requesting the victim’s phone number.
Crypto.com phishing requesting the victim’s phone number.

After entering the phone number, the page shows a fake error message and asks the victim to contact them via web chat, which is the same behavior found previously.

Screenshot of Crypto.com phishing displaying a fake error message.
Crypto.com phishing displaying a fake error message.

Binance

Below, is an example of a website hosted on Google Sites that mimics Binance.

Screenshot of Website mimicking Binance, following the same phishing pattern.
Website mimicking Binance, following the same phishing pattern.

Gate.io

Below, is an example of a website hosted on Google Sites that mimics Gate.io.

Screenshot of Website mimicking Gate.io, following the same phishing pattern.
Website mimicking Gate.io, following the same phishing pattern.

KuCoin

Below, is an example of a website hosted on Google Sites that mimics KuCoin.

Screenshot of Website mimicking KuCoin, following the same phishing pattern.
Website mimicking KuCoin, following the same phishing pattern.

ShakePay

Below, is an example of a website hosted on Google Sites that mimics ShakePay.

Screenshot of Website mimicking Shakepay, following the same phishing pattern
Website mimicking Shakepay, following the same phishing pattern

PancakeSwap

Below, is an example of a website hosted on Google Sites that mimics PancakeSwap.

Screenshot of Website mimicking PancakeSwap, following the same phishing pattern.
Website mimicking PancakeSwap, following the same phishing pattern.

New URLs, Same Targets

Additionally, we found 66 new Google Sites URLs with the same targets disclosed in the first research, which are Coinbase, MetaMask, Kraken, and Gemini.

We also found a new template used for MetaMask phishing.

Screenshot of MetaMask phishing page created with Google Sites.
MetaMask phishing page created with Google Sites.

The second stage works exactly like the ones we spotted previously, but it’s using a new template as well.

Screenshot of Second stage of MetaMask phishing, hosted with Microsoft Azure Web App.
Second stage of MetaMask phishing, hosted with Microsoft Azure Web App.

The “Import Wallet” button leads to a modal that asks for the secret recovery phrase for MetaMask.

Screenshot of Modal asking for the secret recovery phrase
Modal asking for the secret recovery phrase

The “Sign In” option contains some slight differences compared to the phishing we spotted previously, but it has the same goal of stealing the victim’s credentials.

Screenshot of MetaMask phishing trying to steal user’s credentials.
MetaMask phishing trying to steal user’s credentials.

It also comes with the same live chat feature we previously mentioned, but this time it opens in a popup window.

Screenshot of Popup window with a live chat between the attacker and victim.
Popup window with a live chat between the attacker and victim.

According to the information button provided by Google Sites, this page was likely changed on August 23, 2022.

Conclusions

Based on this additional research, we believe attackers will continue to use this pattern, as they can create multiple accounts in these cloud services and easily replicate the phishing templates using different URLs. Also, by dividing this phishing in two stages (Google Sites and Microsoft Azure), the attackers are creating more resilience, since they can simply replace an offline URL to another one to keep the operation online.

Netskope strongly recommends users to directly access the website they are trying to reach instead of searching or clicking on any links throughout the internet. For organizations, we also recommend the usage of a secure web gateway, capable of detecting and blocking phishing in real time.

Protection

Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators. Netskope Next Gen SWG inspects all HTTP and HTTPS traffic, using a combination of threat intelligence, signatures, heuristics, and machine learning to identify and block phishing pages in real time.

IOCs

First stage URLs

hxxps://sites.google[.]com/crypto-coinexchange.com/geminiexchangee/home

hxxps://sites.google[.]com/cryptocomlog.com/crypto-com-login/home

hxxps://sites.google[.]com/365cryptocurrencies.com/coinbasewallet/home

hxxps://sites.google[.]com/365cryptocurrencies.com/kucoin-logi/

hxxps://sites.google[.]com/365cryptocurrencies.com/kucoinucentersignin/

hxxps://sites.google[.]com/askmewallet.com/binancewalletextension/home

hxxps://sites.google[.]com/askmewallet.com/geminilogin/home

hxxps://sites.google[.]com/askmewallet.com/pancakeswaplogin/home

hxxps://sites.google[.]com/askmewallet.com/shakepaylogin/home

hxxps://sites.google[.]com/askscryptous.com/coinbaselogin/home

hxxps://sites.google[.]com/askscryptous.com/coinbasewallet/home

hxxps://sites.google[.]com/askscryptous.com/geminisignin/home

hxxps://sites.google[.]com/askscryptous.com/metamask-login/home

hxxps://sites.google[.]com/askscryptous.com/metamasklogin/home

hxxps://sites.google[.]com/askscryptous.com/metamasksignin/home

hxxps://sites.google[.]com/askscryptous.com/metamaskwalletlogin/home

hxxps://sites.google[.]com/bitcoinbasepro.com/coinbaselogincom/

hxxps://sites.google[.]com/coinbasecom.org/coinbaselogin/home

hxxps://sites.google[.]com/coinbaseloginn.com/coinbaseloginn/home

hxxps://sites.google[.]com/coinbselogin.com/coinbaselogin/home

hxxps://sites.google[.]com/coindesklogin.com/coinbase-wallet/home

hxxps://sites.google[.]com/coinlogins.com/coinbase-down/home

hxxps://sites.google[.]com/coinsprologin.com/coinbasewallet-login/home

hxxps://sites.google[.]com/crypto-coinexchange.com/binance-exchange/home

hxxps://sites.google[.]com/crypto-coinexchange.com/coinbaseexchange/home

hxxps://sites.google[.]com/crypto-coinexchange.com/krakenexchange/home

hxxps://sites.google[.]com/crypto-coinwallet.com/coinbase-wallet/home

hxxps://sites.google[.]com/crypto-coinwallet.com/coinbasewallet/home

hxxps://sites.google[.]com/crypto-coinwallet.com/geminiwallet/home

hxxps://sites.google[.]com/crypto-coinwallet.com/metamask-wallet/home

hxxps://sites.google[.]com/cryptobitwallets.com/metamasksignin/home

hxxps://sites.google[.]com/cryptobitwallets.com/metamaskwallet/home

hxxps://sites.google[.]com/cryptocom-login.com/cryptocomloginin/home

hxxps://sites.google[.]com/cryptocomlog.com/cryptocom-login/home

hxxps://sites.google[.]com/cryptologn.com/coinbaseprologin

hxxps://sites.google[.]com/cryptologn.com/coinbasewallet/

hxxps://sites.google[.]com/cryptologn.com/metamasksignin

hxxps://sites.google[.]com/cryptowalletbit.com/blockfi-wallet/home

hxxps://sites.google[.]com/cryptowalletsusa.com/metamasklogin/home

hxxps://sites.google[.]com/cryptowalletts.com/pancake-swap/home

hxxps://sites.google[.]com/csscrypton.com/crypto-login/home

hxxps://sites.google[.]com/ecryptowalletpay.com/coinbase-wallet-login/home

hxxps://sites.google[.]com/gateiolog.com/gateiologin/home

hxxps://sites.google[.]com/kucoin-log.com/kucoinlogini/home

hxxps://sites.google[.]com/kucoinguide.com/kucoinlogin/

hxxps://sites.google[.]com/kucoinguide.com/kucoinloginsignin/

hxxps://sites.google[.]com/metaipmasklogin.com/metamasklogin/home

hxxps://sites.google[.]com/metamamk.com/metamask-log-in/home

hxxps://sites.google[.]com/metamask-ios.com/metamask-extensions/home

hxxps://sites.google[.]com/metamask-ios.com/metamask-login/home

hxxps://sites.google[.]com/metamask-ios.com/metamaskextension/home

hxxps://sites.google[.]com/metamask-ios.com/metamaskloginin/home

hxxps://sites.google[.]com/metamask-ios.com/metamasksigninn/home

hxxps://sites.google[.]com/metamask-log.com/metamask-login/home

hxxps://sites.google[.]com/metamask-log.com/metamask-signin/home

hxxps://sites.google[.]com/metamask-log.com/metamasklogin/home

hxxps://sites.google[.]com/metamask-log.com/metamasksignin/home

hxxps://sites.google[.]com/metamaskexts.com/metamasklogin/home

hxxps://sites.google[.]com/metamaskexts.com/metamaskloginn/home

hxxps://sites.google[.]com/metamaskios.com/metamask-login/home

hxxps://sites.google[.]com/metamaskios.com/metamasksignin/home

hxxps://sites.google[.]com/metamaskios.com/metamaskwallet/home

hxxps://sites.google[.]com/metanimasklogin.com/metamasklogin/home

hxxps://sites.google[.]com/metanimasklogin.com/metamasksignin/home

hxxps://sites.google[.]com/metmasklogin.com/metamask-extension/home

hxxps://sites.google[.]com/metmasklogin.com/metamask-login/home

hxxps://sites.google[.]com/metmasklogin.com/metamaskio-wallet/home

hxxps://sites.google[.]com/metmsk-logi.com/metamasksignin/home

hxxps://sites.google[.]com/meutmask-log.com/metamaskwallet/home/

hxxps://sites.google[.]com/mynewcoins.com/metamasklogin/home

hxxps://sites.google[.]com/myprowallets.com/metamask-extension/home

hxxps://sites.google[.]com/usacoinlogin.com/metamasksignin/home/

hxxps://sites.google[.]com/view/coinbasewallett/home

hxxps://sites.google[.]com/view/gemini-login-usa/

hxxps://sites.google[.]com/view/gemini-login-usa/home

hxxps://sites.google[.]com/view/geminiexchangee/

hxxps://sites.google[.]com/view/geminiwallet/

hxxps://sites.google[.]com/view/metamask-extention/home

hxxps://sites.google[.]com/view/metamaskloginwallet

hxxps://sites.google[.]com/view/metamaskwalletloginus/

hxxps://sites.google[.]com/view/metamaskwallt/home

Second stage URLs

hxxps://caerytos-log.azurewebsites[.]net/

hxxps://cetryeyptos-log.azurewebsites[.]net/

hxxps://coainasbe-log.azurewebsites[.]net/

hxxps://coianasbe-wkalle.azurewebsites[.]net/

hxxps://coinasnbe-walle.azurewebsites[.]net/

hxxps://coinnbass-log.azurewebsites[.]net/

hxxps://crytpeios-log.azurewebsites[.]net/

hxxps://gemnminin-log.azurewebsites[.]net/

hxxps://krakaken-log.azurewebsites[.]net/

hxxps://maataamaask.azurewebsites[.]net/

hxxps://mamametamask-walle.azurewebsites[.]net/

hxxps://metidismakskklo.azurewebsites[.]net/

hxxps://mmetatasamask-log.azurewebsites[.]net/

hxxps://mmetatsamasks-walle.azurewebsites[.]net/

author image
About the author
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection. He is currently working on the Netskope Research Team, discovering and analyzing new malware threats.
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection. He is currently working on the Netskope Research Team, discovering and analyzing new malware threats.