Summary
Throughout 2022, Netskope Threat Labs found that attackers have been creating phishing pages in Google Sites and Microsoft Azure Web App to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini.
These phishing pages are linked from the comment sections of other websites, where the attacker adds multiple links to the phishing pages, likely to boost SEO and drive victims directly to these pages. The main goal of this campaign is to steal cryptocurrency exchange accounts or recovery phrases, which allows the attacker to import existing crypto wallets.
In this blog post, we will analyze these phishing pages to demonstrate how they work.
How is it spread?
We found that most of these phishing pages are linked from the comment sections of other websites, mostly blogs. The attacker adds links to one or more phishing websites, where the URL contains elements to boost SEO.
These comments are posted by random accounts, and sometimes there are multiple links leading to different phishing pages.
Furthermore, the attackers are using these SEO techniques to make the phishing pages appear as the first result on search engines, like Google.
How does it work?
The main page is hosted with Google Sites and mimics the cryptocurrency website that it’s targeting. In the example below, we will demonstrate how the MetaMask phishing works. The landing page is very similar to the real MetaMask website.
The phishing page also contains a fake FAQ, as an additional measure to convince victims that the page is real and to improve SEO.
Once the victim clicks “Download now” or “Login”, the user is redirected to another page hosted with Azure Web Apps.
For the MetaMask phishing, there are two options. The first one is through the “Import wallet” button, which tries to steal the secret recovery phrase that can be used to steal existing wallets.
And the second tries to steal the username and password.
More targets
We also found online phishing campaigns targeting Coinbase, MetaMask, Kraken, and Gemini. All using the same attack flow, by hosting the main page with Google Sites and the second stage with Azure Web App.