The Crypto Revolution Reaches Fever Pitch for Today’s Phishing Scammers
Within the past few years, cryptocurrency and blockchain-related technologies have stormed into the public eye, garnering mainstream attention among institutional and everyday investors alike. It was only a matter of time until cybercriminals capitalized on this increased awareness to get in on the action, utilizing the crypto frenzy to create new ways to exploit victims with clever scams.
In fact, according to a recent report by Chainalysis researchers, cryptocurrency-based scammers received a record-breaking $14 billion in deposits throughout 2021, nearly double the amount collected during 2020.
Tracking continuous cyberattack campaigns
As part of our ongoing threat research, Akamai researchers have been able to track continuous cyberattack campaigns that took advantage of the crypto fever, including fraudsters who introduced a variety of phishing schemes built on fake rumors, such as “Amazon to create its own digital token.” This particular scam played directly into victims’ fear of missing out on a limited-time offer to invest in a new (albeit fake) cryptocurrency “opportunity.” The scam played upon the latest sentiments and increasing risk tolerance for crypto investing, leading victims to give away their credentials in the first phase of the fraud campaign.
Once the targets were engaged, victims were led to a well-designed and functional fake website, where they in turn, paid for the fake cryptocurrency. The scam required the targets to use cryptocurrency — in this instance, bitcoin — as the method of payment for the fake tokens. Cyberattackers prefer cryptocurrency payments since this makes the fraudulent transaction simpler, enables evasion from financial regulatory inspection, and prevents their identities from being exposed.
Cyberattackers exploit a false sense of trust
While crypto-specific phishing scams are relatively new to the threat landscape, a deep dive into malicious campaign activity highlighted the familiar trends that we’ve continued to observe over the past few years. Bad actors still leverage a variety of evasion techniques, making scams harder to detect. By distributing campaigns across popular social networks, attackers exploit the false sense of trust that users have when engaging with social media content. Based on our visibility into various campaign activities, 98% of victims were using mobile devices, with the United States being the top country for targeted victims.
Moreover, evidence showed that the same IP address from the most recent campaign was also used to host crypto-related scams dating back to early 2020, remerging every couple of months to abuse different brands with crypto-related phishing scams.
Anatomy of a crypto-phishing campaign
To effectively distribute the scam and establish the required level of victim trust, attackers used a multistage approach that included publishing fake social media posts in targeted interest groups to entice unsuspecting victims. In one case, clicking through on the social networks posts led victims to a fake news website (Figure 1), which contained information on a soon-to-be-released crypto token. After approximately 30 seconds on the site, victims were automatically redirected to the fake token website (Figure 2). Potential victims were then prompted to provide credentials to purchase the fake crypto tokens.
Fig. 1: Fake news website, redirecting to the fake token website scam
Fig. 2: Fake token website
Evasion
To remain undetected and maximize the time for the scam to remain alive, attackers employed different techniques to make detection more challenging. For example, the fake news webpage was only accessible once explicit requests to that URL were called. Victim requests to other URLs on that website would redirect visitors to legitimate CNBC website content; this redirecting technique was used to make the attacker’s fake website appear more legitimate by associating it with the real website. Taking this approach helped attackers reduce suspicion from unwanted visitors, too.
In another example, evasion techniques were seen on the landing page for the fake crypto token via a captcha-like challenge (Figure 3). The scammers used the captcha-like challenge to filter and block the bots and crawlers that scan the internet for malicious content, thereby keeping the attacker’s website undetected.
Fig. 3: Captcha-like challenge on fake token website
Additionally, analysis of the source code from the fake token website revealed that attackers obfuscated malicious code to make the detection of these pages much harder and more stealthy (Figure 4). Previous research by Akamai confirmed that the use of obfuscated JavaScript is gaining momentum and becoming highly adopted in the wild.
Fig. 4: Fake token website source code includes obfuscated code
While none of the techniques mentioned above are new to the threat landscape, the use of them demonstrates the cybercriminals’ increased level of sophistication and determination to launch scams that fly under the radar — for as long as possible.
The scam victims
The ultimate goal of the scam was to lead victims into believing the fake cryptocurrency was real and pay for it with their own cryptocurrency (bitcoin). To drive victim engagement and trust, attackers created a fully functional website that required registration, account confirmation using email, and a user account profile. Additionally, the website included social engineering techniques that presented a fake progress bar, indicating tokens were about to sell out, adding pressure to the victim’s purchasing decision.
Fig. 5: Fake digital token website
Victim engagement
On top of that, to engage other victims and perpetuate the scam, the website offered a referral program for friends and family. In doing this, the threat actors created a new trustworthy channel through which current victims referred other potential targets.
A closer look at victims who visited the fake token landing pages showed that 98% of the victims were mobile users, with 56% using Android and 42% using iPhone devices. These numbers don’t come as a surprise as similar trends in the usage of mobile devices in crypto scams have been observed in previous research. It’s no secret that mobile devices have become the primary means for consuming social media, gaming, reading news, and communicating via messaging applications, which drives the surge in victims landing on scams via mobile channels.
Fig. 6: Victims by device type
Looking into the geographic breakdown for campaign victims shows that 29% were located within North America, 35% in South America, and 27% in Asia (Figure 7). The fact that victims are distributed fairly evenly across these continents shows that this is a global campaign that is not targeting specific geographical locations.
Fig. 7: Victims by geographical location
Summary
Scams that take advantage of the consumer frenzy around crypto-to-launch phishing campaigns are on the rise — we’ve seen a continuous uptick in such scams since 2020. Analysis of the IP addresses associated with these crypto scams shows activity dating back to early 2020 against well-known brands. According to VirusTotal (Figure 8), one IP address was associated with more than 60 phishing domains and with various malware files.
Fig. 8: VirusTotal IoC on related domains and URLs
It’s clear that cybercriminals are adopting and adjusting scams to make them more relevant so victims will be more likely to engage with malicious content. Based on our research, we predict that crypto scams will continue to drive many nefarious activities throughout the 2022 threat landscape. As defenders, it is our duty to join forces to combat this malicious trend, share information, and help eliminate threats while educating consumers to stay vigilant and avoid falling victim to crypto-phishing scams.*
At the end of the day, if it sounds too good to be true, it probably is.
*Akamai reported our research findings to the Amazon security team, thereby helping to mitigate the scam, and deployed relevant protections for Akamai customers.
IOC for recent campaigns
IP address:
45.12.32.37
185.232.52.46
Domains:
amazonwallet[.]tw
amazontoken[.]sale
diemwallet[.]world
diemwallet[.]sale
amazonglobal[.]io
diemfinancial[.]io
diemglobal[.]sale
futurediem[.]io
diemdigital[.]io
amazontoken[.]world
cnbcnewsp.]buzz
cnbcworldnews[.]com
cnbcworld[.]news
cnbcnews[.]tech
URLs:
https://cnbcnews[.]tech/the-amazon-token-presale-is-coming-on-november-6/
