Binance is a cryptocurrency exchange which is the largest exchange in the world in terms of daily trading volume of cryptocurrencies.
During our PreCrime internet scout of October 19th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting users.
The Attack
Target:
Individuals with a Binance account
Possible threats:
- Cryptocurrency scam – after luring users to the site, they are asked to login to their Binance account using their email and password, allowing threat actors to take control of their crypto account and steal cryptocurrency.
- Info: Cryptocurrency scams are becoming an increasingly popular attach vector with over 1 billion USD lost since the beginning of 2021 according to the Federal Trade Commission.
Technical Breakdown
Threat Indicators
- Malicious domain impersonating login page of Binance Holdings Limited
- DNS records of malicious domain different to Binance Holdings Limited
- Newly registered site – October 19 2022
- SSL certificate expires after three months
- IP address blacklisted and with a lot of malicious activity
Detection and Threat Analysis
The malicious domain (cancel187737-binance-com[.]web[.]app) is targeting Binance (binance[.]com), the largest cryptocurrency exchange in the world. The malicious was created October 19, 2022 and identified by Bfore.Ai October 19, 2022.
- The malicious site shows visitors a login page to Binance. The main difference between the legitimate and the malicious site, is that the malicious site’s login page shows an email and password field, whereas the legitimate one only shows an email/phone number field. Additionally, the legitimate site presents users with the possibility of logging in with Google, Apple or by using a QR code, which the malicious one does not.
- The DNS records are different to the DNS records of the legitimate website. The main point of interest is that the legitimate domain has a certificate registered in Binance Holdings Limited’s name, whereas the malicious site registers the certificate to the site’s parent domain (web.app). See further details and comparison between the malicious and legitimate domain below.
- The registered SSL certificate expires after three months indicating malicious intent.
- The IP address has been blacklisted by SPFBL and has over 6000 communicating files, half of those present malicious traffic with majorly .EXE and .APK malicious files.
DNS Records
How Bfore.Ai is protecting our customers
At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.
With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.
Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !
Bfore.Ai’s recommendations
Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :
- Pay close attention to the URL
- Check connection security indicators (the lock)
- Read emails carefully
- Look for trust seals
Appendix
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.