Phishing Alert: 30 Domains Targeting Crypto Users

by Alex Johnson 50 views

In the ever-evolving landscape of cybersecurity, identifying and mitigating phishing threats is paramount. This article delves into a recent discovery of 30 malicious domains actively involved in phishing campaigns, primarily targeting cryptocurrency users and companies. These domains mimic legitimate services, employing deceptive tactics to steal sensitive information, such as cryptocurrency seed phrases and keys. This report serves as a critical resource for understanding the nature of these threats and how to stay protected.

Executive Summary: Understanding the Phishing Threat

This report highlights 30 domains confirmed to be engaged in active phishing operations. These domains exhibit characteristics indicative of malicious infrastructure and present a significant security risk to internet users. The primary goal of these phishing campaigns is to deceive users into divulging their cryptocurrency credentials, leading to potential financial losses. It is crucial to exercise caution and remain vigilant when interacting with online platforms, especially those related to cryptocurrency.

Threat Analysis: How Phishing Attacks Work

These domains are part of a sophisticated phishing campaign specifically designed to target cryptocurrency companies and individual cryptocurrency holders/investors. Attackers employ various deceptive methods, including:

  • Fake login pages that mimic legitimate cryptocurrency exchange or wallet interfaces.
  • Deceptive Web3 wallet connection prompts that trick users into connecting to malicious sites.
  • Fake cryptocurrency exchange/swap interfaces that steal credentials when users attempt to conduct transactions.
  • Modified or malicious software designed to extract cryptocurrency seed phrases and keys.

Technical Details: Cloaking and Redirection

One of the key techniques used by these attackers is cloaking. This involves the attacker's server checking whether the incoming request meets specific internal rules. If a request doesn't meet these rules, it may be redirected to:

  • A non-existent subdomain (e.g., "www.www.").
  • A legitimate website to create a false sense of security.
  • Various HTTP errors, such as 403, 404, or 502, indicating a problem with the server.
  • SSL certificate errors, which should immediately raise suspicion.
  • Infinite loading screens, preventing the user from accessing the intended content.
  • A fake Cloudflare (or other service) CAPTCHA to appear legitimate while masking malicious activity.
  • Content that is different from the actual phishing page, further concealing the attack.

Detections & Targeted Brands: Who is at Risk?

The following domains have been identified as targeting specific brands within the cryptocurrency space:

  • fixedfloat.ac, ff-app.to, ff-io.to, fixedfloat.ca, ff-info-online.com, and ff-exchahge.cyou: These domains target FixedFloat (ff.io), a cryptocurrency exchange service. VirusTotal reports multiple detections for these domains, and they are also listed on Spamhaus and APVA, indicating their malicious nature. These sites may attempt to steal login credentials or intercept transactions.
  • v2-dexcsreener.net and v2-dexscreener.cc: These domains target DEX Screener (dexscreener.com), a platform for tracking decentralized exchange (DEX) activity. They are listed on Spamhaus and APVA, with VirusTotal detections confirming their phishing intentions. Users should be wary of any login prompts or requests for sensitive information on these sites.
  • v2-camelot-ex.com and camelot.exc-v3.run: These domains target Camelot DEX (camelot.exchange), another decentralized exchange. They are listed on Spamhaus and APVA, with VirusTotal flagging them as malicious. Phishing attempts may involve fake token listings or fraudulent transaction interfaces.
  • cloudns.to, ns1.cloudns.to, and ns2.cloudns.to: These domains target ClouDNS, a DNS service provider. While the direct threat may be less obvious, these domains could be used in broader campaigns or to compromise DNS settings.
  • at0micwallets.com: This domain targets Atomic Wallet (atomicwallet.io), a cryptocurrency wallet. It has multiple VirusTotal detections and is listed on APVA, indicating a high risk of phishing attacks aimed at stealing wallet credentials and private keys.
  • trezor.la: This domain targets Trezor Wallet (trezor.io), a hardware wallet provider. Listed on Spamhaus, this domain likely hosts fake interfaces to trick users into entering their seed phrases, compromising their hardware wallets.
  • kodiakfinance-kodiak-finance.org, kodiakfinance.net, kodiak-finance-kodiakfinance.com, kodiakfinance-kodiak-finance.com, kodiakfinance-kodiak-finance.net, app.kodiakifnance.run, and kodiak-finance.io-t2.digital: These domains target Kodiak Finance (kodiak.finance), a DeFi platform. The high number of detections and listings on Spamhaus and APVA confirm these domains are actively involved in phishing campaigns to steal user credentials and assets.
  • app.uniswaq.org and chicavora.com: These domains target Uniswap (uniswap.org), a popular decentralized exchange. VirusTotal detections and Spamhaus listings indicate that these sites likely host fake Uniswap interfaces to steal cryptocurrency from unsuspecting users.
  • changenow-io.us: This domain targets ChangeNOW (changenow.io), an instant cryptocurrency exchange service. It has detections on VirusTotal and is listed on Spamhaus and APVA, suggesting a risk of phishing attacks designed to intercept or reroute cryptocurrency transactions.
  • exodus-wallets.io: This domain targets Exodus (exodus.com), a multi-cryptocurrency wallet. The high number of VirusTotal detections and listings on Spamhaus and APVA highlight the significant threat of phishing attacks aimed at stealing private keys and wallet contents.
  • sushiswap.to: This domain targets SushiSwap (sushi.com), another decentralized exchange. With multiple VirusTotal detections and listings on Spamhaus and APVA, it poses a risk of phishing attacks designed to steal user funds through fake swap interfaces.
  • legder.at: This domain targets Ledger (ledger.com), a hardware wallet provider. Listed on Spamhaus and APVA, this domain likely hosts fake Ledger Live interfaces to trick users into entering their seed phrases, compromising their hardware wallets.
  • electrum-data.cc: This domain targets Electrum (electrum.org), a popular Bitcoin wallet. Listed on Spamhaus, this domain likely distributes malicious Electrum wallet software designed to steal Bitcoin from users.
  • dashboard.www.legder.at : This domain targets Ledger (ledger.com), a hardware wallet provider.

Visualizing the Threat: Diagrams

The diagrams provided offer a comprehensive overview of the phishing campaign, illustrating the relationships between targeted brands, phishing domains, hosting infrastructure, and domain registrars. These visualizations aid in understanding the scope and complexity of the threat.

Phishing Campaign Mindmap Overview

This mindmap provides a high-level view of the campaign, highlighting the targeted brands and the corresponding phishing domains. It visually represents the scope of the attack and the various entities being impersonated.

Phishing Campaign Full Overview

This detailed flowchart maps the connections between targeted brands, phishing domains, hosting infrastructure (including ASNs and IP addresses), and domain registrars. It offers a granular understanding of the infrastructure supporting the phishing campaign.

Phishing Campaign Registrars Pie Chart

This chart illustrates the distribution of domain registrars used by the phishing domains. It highlights the registrars most frequently abused by the attackers, providing insights into their operational preferences.

Phishing Campaign ASN Hosting Pie Chart

This chart shows the distribution of Autonomous System Numbers (ASNs) hosting the phishing domains. It reveals the hosting providers most commonly used by the attackers, helping identify potential areas for mitigation and intervention.

Screenshots: A Glimpse into the Phishing Sites

The screenshots included in this report offer visual examples of the phishing sites in action. While some screenshots may not fully display or contain accurate content due to various technical reasons, they provide a general sense of the deceptive tactics employed by the attackers.

Scans: Detailed Analysis of Each Domain

This section provides links to urlscan.io results for each of the 30 identified phishing domains. These scans offer in-depth technical analysis, including HTTP responses, redirects, and other relevant information, aiding in the investigation and mitigation of these threats.

Conclusion: Staying Safe from Phishing Attacks

This report underscores the persistent threat of phishing attacks targeting cryptocurrency users and companies. By understanding the tactics employed by attackers and remaining vigilant, individuals and organizations can significantly reduce their risk. Always verify the legitimacy of websites and communications before entering sensitive information, and use reputable security tools to protect against phishing attempts. For additional resources on phishing prevention, consider visiting the Anti-Phishing Working Group (APWG) at https://apwg.org/, a trusted source for information and best practices.