Website Phishing

in #money6 years ago

Hack and scam are regular activities in the cryptovironment. There are several ways, you can be robbed of your hard earned money but you can protect yourself if you are well educated about the latest threat. In this article, I'll expose some scams that have robbed people of their money and equip you with weapons to protect yourself and your wealth.

In the last post I explained what phishing is, and social media phishing. We shall continue with phishing via email, website and online ad. If you haven't read it, I recommend you to read it by clicking here.

The aim of website phishing is to obtain valuable sensitive information through a fake website that was setup to look like a real, established authority's website.

How domain works

The phishers ultimate goal is to deceive you to a spoofed website that was made to look like the legitimate website to gain information to access your funds.

There are usually two ways to make a spoofed website look legitimate - by having a similar URL and a similar website design as the real website.

A poorly designed phishing site is definitely a giveaway that the site is illegitimate. However, most of the phishers are or hire good web designers so that the website design is almost identical to the real site. Also, some projects such as MyEtherWallet are open source, which means that anyone can obtain a copy of the source code and reproduce the look and feel of the website easily. This made MyEtherWallet (MEW) especially popular among phishers.

The best way to distinguish a phishing site from the original website is through the website URL. Phishers might be able to copy the exact look and feel of the real website but they can never acquire the same domain address as the real website.

Let's use MyEtherWallet as a case study. MyEtherWallet homepage address is https://www.myetherwallet.com

  • https indicates the protocol, it indicates that the website connection is secure, while http (without the "s") means the communication to this site is not secure.

  • www refers to the subdomain of the website. A registered domain is allowed to have multiple subdomains to host different content. For example there are different contents hosted on www.myetherwallet.com and team.myetherwallet.com. However, all subdomains are under the control of the main domain register. One can also choose to host the website on a bare domain (without a subdomain) such as https://myetherwallet.com.

  • myetherwallet is usually referred to as the second level domain name. It is in most cases also the brand name.

  • .com is referred to as Top Level Domain (TLD).

  • myetherwallet.com is the website's domain, it comprises of TLD and second level domain name. A domain is unique and is owned by the company/person who registered it. Once a domain is registered and active, no one else can use the same domain unless the original owner is willing to sell or transfer it.

Phishers play tricks with a website's URL by registering a domain name with small, easy to miss differences from the real website domain. If you are not careful and are not aware, small variations in domain names can make a huge difference.

Some of the tricks are

  • Changing the Top Level Domain (TLD): If the second level domain name is the same but the TLD is not, it is very likely to be a phishing website. Examples of phishing sites that impersonates MEW are;

    • myetherwallet.cam
    • myetherwallet.com.ua
    • myetherwallet.biz
    • myetherwallet.co
    • myetherwallet.xyz
  • Changing, adding or removing characters: This character might be alphanumeric or non-alphanumeric. Examples are;

    • myethervvallet.com
    • my-ether-wallet.com
    • myetherwalliet.com
    • myether-wallet.com
    • myetherwallet5.com
    • myetherwallaet.com
    • secure-myetherwallet.com
    • update-myetherwallet.com
  • Use of subdomain: Since you can't get myetherwallet.com, why don't you register erwallet.com and create myeth subdomain to get myeth.erwallet.com URL. As I've said earlier, www.myetherwallet.com, and team.myetherwallet.com and even blog.myetherwallet.com belong to myetherwallet.com. But, myeth.erwallet.com belongs to erwallet.com. Do you understand the difference? Other examples are;

    • myetherwa.llet.com
    • myet.herwallet.com
    • myetherwallet.com87526.com
    • myetherwallet.com855668.ml
  • Punycode Domains: Browsers support displaying character encodings beyond the English alphabet you’re used to seeing. “Punycode” allows attackers to purchase domain names containing these alternate encodings using only ASCII characters. For example;

    • myętherwallet.com
    • myẹtherwallẹt.com
    • myețherwallet.com
    • mýetherwallet.com
  • Any combination of the above samples. E.g

    • myether-wallet.net
    • myethe.rwallet.ca
    • myetherwallwt.biz-promo.nl
    • myethęrwallet.cc
  • Just any goddamn domain can be used by Phishers, including the ones you would notice at a glance. You can check etherscamdb for more samples and scamming lists.

Phishers often exploit the lack of knowledge about domain names to trick users into thinking their sites are legitimate when they are infact not. Here are some tips;

  • http is red meaning dangerous, so flee for your life
  • When in doubt, check the URL letter by letter and proceed only when it is an exact match to the real site's URL.
  • If you are still not sure, type in a wrong password, and if it logs you in, it is surely fishing. However, this method might not work always.
  • The best thing to do is to save exchange, wallet and any asset websites to your bookmarks and access them through your bookmark ONLY. I repeat, through your bookmark ONLY.

Phishing marketing strategy

A phishing website will never make money simply by creating a fake website. It needs leads, traffic and potential customers. They gain traffic by sending sms/email or through ads.

Email

This is another popular way for phishers to contact users. Links contained in an email will lead users to a spoofed-website, and ask them to reveal sensitive information, such as their private keys etc.

One popular email phishing technique is to pose as a legitimate cryptocurrency exchange or wallet service, inform the user that they have detected unusual activity on their account recently, and urge the user to confirm such activity.

Another popular phishing email template is to inform the user that there is a pending transaction for his/her exchange or wallet account, and the user needs to confirm the authenticity of the transaction before it gets processed.

Both types of emails will include a link for confirmation, and the link will subsequently lead the user to a phishing site where the user will be asked to enter sensitive information, such as passwords, private keys, etc.

Below are 2 real-life examples reported on bitcoinwhoswho blog posing to be MyEtherWallet and Coinbase respectively.

[email protected]

Hi bitcoinwhoswho.com,
MyEtherWallet has recently been targeted by attackers trying to obtain access to wallets on the Ethereum network.
In order to prevent any other security issues, we have implemented Two Factor Authentication.
However, the Two Factor Authentication wallet security has to be activated by our users manually.

In order to set up Two Factor Authentication and to secure your wallet, please visit the link below to upgrade your wallet to the new security protocols.

UPGRADE YOUR WALLET

“PLEASE UPDATE YOUR WALLET ON HERE AS SOON AS POSSIBLE IN ORDER TO MINIMIZE THE RISK OF LOSING FUNDS OR TOKENS.”
Thanks and be well,
kvhnuke @ MyEtherWallet LLC

Ethen wallet

[email protected]

You just sent0.04804 ETH
Congratulations! You have successfully sent 0.04804 ETH (worth $12.00 USD) to 0x598944a224d65f4F8AD1fB0828308556F11D7543 using Coinbase. To facilitate this transaction, you paid 0.00021 ETH (worth $0.06 USD) in network fees.
This withdrawal is being sent to an address (“0x598944a224d65f4F8AD1fB0828308556F11D7543”) that you haven’t previously used.

If you believe your account activity is unauthorized, please click the button below to cancel the transaction and restore access to your account.

Cancel this transaction

Colnbase

phishing-email-example.png

Above are just 2 examples of possible phishing emails. They both are trying to exploit users’ sense of urgency, thinking they are dealing with unauthorized transactions, and that their accounts are under attack.

When people think their accounts are not secure, they tend to act hastily, without scrutinizing whether or not the source and the content of the message are legitimate. And that’s when they visit phishing sites without looking twice.

There are few ways to distinguish phishing emails, such as the appearance of typos, wrong graphics, wrong colors, etc. However, the best way to detect them is by looking at the email sender address.

As you can see from the examples; colnbase.support is pretending to be coinbase.com, while myethenwallet.com is impersonating myethenwallet.com. By clicking on the drop down beside the sender's name in Gmail, you can also see, in addition to sender’s address, who it is mailed by, and whether or not it has been signed by a trusted domain.

gmail-sender-info.png

Never trust an email solely based on the sender’s name. Anyone can put whatever name they want in the “From” field. Inspect the domain name and refer to our previous section on domain names when in doubt.

Another important thing to mention here is DO NOT click on any link and DO NOT download any attachment from untrusted emails.

Why?

Sometimes, even though the links may appear legit, for example, displaying the text myetherwallet.com, clicking on the link may actually take you to a phishing site, such as my-ether-phishing-example.com. Most email formatting follows standard HTML guidelines. Standard markup allows you to edit where the link redirects to, which can be vastly different than the displayed text.

Last, but not least, downloading an attachment from an untrusted source is the number 1 way to get your computer infected with malware. Read up on this cautionary tale from imgur.

(Google) Ads Phishing

A more recent phenomenon of phishing is done by abusing search engine ad networks such as Google Ads to display phishing sites and fool users into clicking the phishing site. Phishing websites don't rank well because of Google's algorithm, so they buy Google ads to be on top of list.

1_ia8a-6gBlxuOSurAbXkzTg.png

A search query for ‘blockchain’ shows that the top results are ads.
The first ad links to blockchalin.info (notice the extra L), which can easily be confused for the legitimate URL. Again, once you click on it and fill in your info, the page will steal your sensitive credentials and send them to the phishers who’ll steal your cryptocurrencies.

Below are more examples

Screen-Shot-2018-01-29-at-11.17.59-PM.png

blockchain-google-search-result.png

Our advice is as follows: download an ad-blocker to hide such ads on your search engine and always double-check if you’re on the correct site by checking its URL and SSL certificate.

Unconventional Methods: Phone call, SMS & targeted Social Engineering attacks.

The above two ways have one thing in common, namely the fact that they indiscriminately target a massive number of users. None of them will have any actual identifying information (such as your name, address or the like) and are a one-size-fits-all way of phishing, therefore not effective for a majority of users. There is however the possibility of falling victim to a targeted and more effective way of phishing you should be aware of.

1_6dL2aPGCSKB2PC6qPpvO4g.png
This is a spoofed SMS sent to a personal phone number. Seemingly legitimate, the SMS is actually from a phisher looking to steal cryptocurrencies

If we look at the above image, it may look as if it’s a real message sent by Coinbase. The name of the sender is Coinbase, and you’re greeted with your real name. Who else aside from Coinbase would know your real name, number and the fact that you have a Coinbase account?

This is a good example of a targeted Social Engineering attack. If your details have been breached or are publicly available, and it is known that you hold a large sum of money on exchanges and online wallets, then you should be cautious of such attacks.

Targeted Social Engineering attacks often consist of: spoofed SMS messages with your real name, legitimately-looking emails (again with your real name and account details), legitimately-looking websites with an SSL certificate and even phone calls by a seemingly legitimate employee.

Our advice for if/when you receive such emails, SMS’s, phone calls and the like: do not proceed under any circumstance. Instead, directly contact the company you’re dealing with by either calling them on their publicly available phone number, through Social Media such as Twitter, Reddit or Facebook or open a ticket through their helpdesk.

Additionally

  • If something seems overly urgent, ask yourself why. These scammers will play on your fears, your fear of missing out, and your desire to get rich quick in order to fool you.
  • If you take an email from the service you use, do not reply till you have verified the sender is legitimate.
  • Do not use open Wi-Fi networks while using e-wallet or other important banking transactions.
  • Use an updated antivirus application to avoid all kind of malware.
  • Update your entire system and software

Enable two factor authentication (2FA)

This is what might save your ass when everything goes wrong. It is better to use authentication app such as Google authentication because an SMS can be intercepted.

Most of the practical example are not fresh. The downtrend of the price of coins and the temporal ban of crypto-related ads by Google and Facebook are probably some of the reasons there's decline in such scams. However, I believe that this type of scams would be on a bull as cryptocurrencies gets more widespread and the price rises. I hope this post will help when that time comes.

Please leave your comments and don't forget to share/resteem this post.

Sort:  

For those who followed me because of the last post. I want to apologize. I promised to make this post within 48 hours, but I was unable to meet the deadline because my phone got damaged.

I also want to bring to your notice, chat phishing.

Chat phishing
Even more recent is the well-known wave of phishing done on Slack channels and other chat platforms such as WhatsApp, Skype and Telegram. On Slack, this is usually done either by using the standard slackbot or fake accounts (bots) who mass-DM users within a Slack group.

1_IH8HC7m_06V7MfrNcveJEg.png

In the above image you see that the standard slackbot sends you a phishing message with a seemingly legitimate URL (myetherwallet.com) which in fact refers to a phishing URL (suncontract.su). Our advice therefore is similar to the previous advice we have given: always double-check the URL and don’t click on links sent to you by people you do not know.

Congratulations @bizy! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of posts published

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard:
SteemitBoard and the Veterans on Steemit - The First Community Badge.

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!