“Phish Found in Environments Protected by SEGs” Microsoft, Symantec
By Aaron Leung, Cofense Phishing Defense Center
With the hype around cryptocurrency, threat actor exploits using this lure was a matter of time. Analysts at the Cofense Phishing Defense Center (PDC) have noticed a steady uptick in crypto-themed phishing campaigns. These campaigns replicate the crypto exchange domains and two-factor authentication (2FA) prompts. Threat actors are preying on emotions by flagging potentially unauthorized withdrawals from individual accounts.
Figure 1: Email Body
Figure 1 shows the threat actor’s attempt at replicating an email from CoinSpot. It showcases to the recipient that there is a withdrawal pending confirmation for Bitcoin (BTC). Other than the obvious use of a Yahoo email address by the threat actor, the design of this email is extremely convincing. The style appears authentic, and there is even a Bitcoin address included to add to legitimacy. The user is prompted to either confirm or cancel the withdrawal, but both links have the same SendGrid hyperlink. Once either option is clicked, the user is redirected to hXXps://birragzez[.]netlify[.]app/ which subsequently redirects to the phishing landing page.
Figure 2: Phishing Page
Seen in Figure 2, the domain, coinspotswap[.]com, is quite convincing at first glance, and it even has a digital certificate enabling the lock symbol in the URL address bar. This phishing page is a virtual identical twin to the authentic CoinSpot login page, making it particularly dangerous when displayed to an untrained user. Proper credential input also is required. The level of sophistication the threat actor displayed is reinforced by passwords requirements for upper- and lower-case letters, numbers and special characters.