Overview of the Netlify Scam
Netskope Threat Labs spotted a new crypto-phishing attack that aims to steal sensitive data from crypto wallets, including private keys and security recovery phrases, disguising itself as a service to revoke stolen ERC (Ethereum Request for Comments) assets. The page was created and hosted with Netlify, which is a free cloud service to create websites and apps.
What makes this Netlify scamming technique novel is that the attacker is targeting 21 cryptocurrency wallets in the same page, eliminating the need to maintain individual websites for each type of crypto wallet, like we saw in the crypto-phishing campaigns we spotted in August and September. Those attacks were targeting multiple crypto wallets through a chained phishing attack abusing Google Sites and Microsoft Azure.
In this blog post, we will analyze this phishing page to demonstrate how this new technique works.
How the Netlify Crypto Phishing Attack Works
The phishing page is hosted with Netlify and the main page tries to lure the victim by mimicking a service to revoke stolen ERC assets. To lure the user to use the fake service the page offers a fake connection with 21 different cryptocurrency wallets, which include:
- MetaMask
- Trust
- Coinbase
- crypto.com
- Blockchain
- Binance Smart Chain
- Safepal
- Argent
- Fortmatic
- Aktionariat
- Keyring Pro
- BitKeep
- SparkPoint
- OwnBit
- Infinity Wallet
- Wallet.io
- Infinito
- Torus
- Nash
- BitPay
- imToken
Once the victim selects a cryptocurrency wallet to connect, the phishing page displays a fake modal that simulates a connection with the wallet’s service.
Then, a new modal is displayed, asking the victim for sensitive data in order to proceed with the fake revoking service. It tries to steal three different types of data. The first one is the cryptocurrency private key.
In this specific modal, there’s even a typo in the word “Revoke”.
The second piece of data it tries to steal is the security recovery phrase