Summary
On August 9, 2022, we released a blog post about a phishing campaign where attackers were abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from different targets, namely Coinbase, MetaMask, Kraken, and Gemini. The attackers were abusing SEO techniques to spread the pages and using advanced techniques to steal data, such as using live chats to interact with victims.
Over the past month, the attackers responsible for the phishing campaign have proven to be resilient to take-downs. Most of the URLs we found in August are still active and the attacker is taking measures to keep the operation online. Furthermore, we found new phishing pages with the same targets disclosed in the initial research, and new phishing pages mimicking Binance, Crypto.com, Gate.io, KuCoin, PancakeSwap, and Shakepay.
We found the following target distribution analyzing the URLs hosted on Google Sites:
In this blog post, we will provide a follow up to the blog post we released in August, showing what has changed since then.
How the attack works
- The victim searches for a cryptocurrency website using specific keywords (e.g. “have MetaMask account”) and the phishing page is displayed first or among the first results.
- The first phishing page mimics the original website and contains a lot of elements to boost SEO. This stage redirects the victim to another phishing website via links within the page.
- The second phishing page tries to steal sensitive information, such as the cryptocurrency account credentials or secret recovery phrases.
- The last page also comes with a live web chat where the attacker interacts with the victim, likely to steal more sensitive data.
Attacker’s resilience
Analyzing the URLs we found in August, we noticed that over the past month:
- All of the URLs used in the second stage were taken down;
- 75% of the first stage URLs remain online, and for those URLs the attacker either:
- Removed the second stage URL;
- Added a new online second stage URL.
The Google Sites information banner indicates that the attacker is constantly updating the first stage pages.
In summary, the attacker is replacing the Microsoft Azure URLs with new ones to remain operant. Also, in some cases the attacker just removed the offline URL instead of adding a new one, likely to avoid the user being redirected to an offline page that was flagged as phishing while they are working to get another page online.
New targets
Aside from the companies we have previously identified, we found new Google Sites URLs for