Summary
Throughout 2022, Netskope Threat Labs found that attackers have been creating phishing pages in Google Sites and Microsoft Azure Web App to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini.
These phishing pages are linked from the comment sections of other websites, where the attacker adds multiple links to the phishing pages, likely to boost SEO and drive victims directly to these pages. The main goal of this campaign is to steal cryptocurrency exchange accounts or recovery phrases, which allows the attacker to import existing crypto wallets.
In this blog post, we will analyze these phishing pages to demonstrate how they work.
How is it spread?
We found that most of these phishing pages are linked from the comment sections of other websites, mostly blogs. The attacker adds links to one or more phishing websites, where the URL contains elements to boost SEO.