Netcraft has revealed a novel crypto phishing campaign in which a threat actor that Netcraft has been tracking for a year is using AI-generated content to create 17,000 phishing lure sites impersonating more than 30 major crypto brands, including Coinbase, Crypto.com, Metamask, and Trezor.
The lure and phishing sites are part of a massive multi-step attack, including those that capture login credentials and two-factor authentication (2FA) codes, as AI allows attackers to create high-quality content at an unprecedented scale, impossible with manual effort.
Hosted on Gitbook, a documentation platform for software developers, the sites claim to provide advice and tutorials for a wide range of crypto industry brands. They contain a CTA link redirecting to domains with a UUID to track user visits and appear to be registered with access keys and hosted by Amazon.
The redirect URLs use advanced traffic distribution systems to mask the relationships between attack infrastructure, choosing the redirect destination based on different factors (i.e., hide the phishing infrastructure from security researchers).
The end phishing sites in this campaign aim to obtain one of two credentials: the victim’s login details for the cryptocurrency platform or the seed recovery phrase for the victim’s wallet. Netcraft has been tracking this campaign and has observed the attackers evolving their strategies in response to countermeasures.
You can read the details here.
Related
This entry was posted on July 18, 2024 at 9:01 am and is filed under Commentary with tags Netcraft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New AI-Generated Crypto Phishing Threat Actor Exploits 30 Major Brands 17K+ Fake GitBook Lure Sites
Netcraft has revealed a novel crypto phishing campaign in which a threat actor that Netcraft has been tracking for a year is using AI-generated content to create 17,000 phishing lure sites impersonating more than 30 major crypto brands, including Coinbase, Crypto.com, Metamask, and Trezor.
The lure and phishing sites are part of a massive multi-step attack, including those that capture login credentials and two-factor authentication (2FA) codes, as AI allows attackers to create high-quality content at an unprecedented scale, impossible with manual effort.
Hosted on Gitbook, a documentation platform for software developers, the sites claim to provide advice and tutorials for a wide range of crypto industry brands. They contain a CTA link redirecting to domains with a UUID to track user visits and appear to be registered with access keys and hosted by Amazon.
The redirect URLs use advanced traffic distribution systems to mask the relationships between attack infrastructure, choosing the redirect destination based on different factors (i.e., hide the phishing infrastructure from security researchers).
The end phishing sites in this campaign aim to obtain one of two credentials: the victim’s login details for the cryptocurrency platform or the seed recovery phrase for the victim’s wallet. Netcraft has been tracking this campaign and has observed the attackers evolving their strategies in response to countermeasures.
You can read the details here.
Share this:
Like this:
Related
This entry was posted on July 18, 2024 at 9:01 am and is filed under Commentary with tags Netcraft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.