This is a brief exploration of an attack that surfaced one night and was reported on twitter against a user of the Cryptocurrency exchange Luno. We used information we obtained through the phishing kit to discover several other attacks against the exchange. Disclaimer: we currently have no affiliation with Luno.

Phishing Detection

In the best case, you hope that you’ll find phishing attacks against your user base before they even launch. In the event that you don’t manage to, your users become your first line of defense and if they’re well educated on phishing, will hopefully report this to you. In this case, a technologically savvy Twitter userreported the attack:

In this case, it came through an SMS based phishing attack. Often attackers obtain potential victims details by scrapingnumbers from crypto related forums or by compromising a vendor in the supply chain, forexample a marketing company which may require email and mobile numbers of users to send out marketing campaigns. Thus, they are a prime target for attackers.

The Attack

After following the link sent in the SMS, it takes the user to this page:

**Note the URL! **Nothing fancy here — a standard clone of the Luno sign inpage. Normally, attackers use off the shelf tools such as HTTrack to createthese and then do some backend work to collect email addresses and passwords touse later.

After submitting credentials to the phishing website, the victim is redirectedto the **legitimate **luno website. This is a common tactic used by scammers toensure that users don’t realise that they’ve been phished.

Users tend to assume that they incorrectly entered their password or that therewas a some kind of bug with the sign in process. The user tried to login againafter being redirected to the legitimate site and voila! It works. They thinknothing is wrong and continue as normal.

Fingerprinting and Expansion

At PhishFort we’ve got a number of internal systems and processes that allow usto fingerprint and identify other websites that are hosting the same phishingkit. This is where it got interesting. We found a couple of LIVE phishing sitesthat haven’t been seen before or blacklisted:

Note the URL above! Luno[.]su was live and ready to be used in the nextcampaign!

Next, another phishing website that was still under construction — AWESOME! We caught it early:

In addition, we discovered a number of websites that were in varying states ofoperational, down or already confirmed phishes.

https://luno-co[.]xyz

https://lunobtc[.]trade

https://lunobtc[.]trade/

https://luno-upgrade[.]com

https://luno-official[.]com/

https://luno-upg[.]com

https://luno-web[.]com

https://luno-official[.]com

Blacklisting

When we find attacks or users report them to us, we act fast. In this case, weblacklisted all of the sites that we found against MetaMask, MyEtherWallet andEtherAddressLookup which in total protects about 1,5million end users and wearen’t reliant on slow moving internet giants to blacklist. Then, we get thesite into Safebrowsing which prevents users of Chrome, Firefox, Safari and Edgefrom accessing the website.

Thanks for reading!