Netskope Threat Labs reported that during 2022, phishing attackers created phishing pages in Google Sites and Microsoft Azure Web App. Through these pages, attackers targeting to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini have added multiple links to phishing pages, boosting SEO and redirecting victims directly to these pages. They strengthened their attack by linking from the comment sections of some websites.
In this way, phishing attackers have stolen cryptocurrency exchange accounts or recovery phrases that allow people to import existing crypto wallets.
These phishing pages were featured in comments posted to sites mostly blogging by a network of bots controlled by phishing attackers. Thus, people were directed to phishing pages. Posting links to phishing pages on various legitimate sites to boost SEO increased their traffic and boosted the malicious site’s search engine rankings.
Also, because phishing sites are hosted on Microsoft and Google services, they are not flagged by automated moderator systems, allowing promotional messages to stay longer in the comment section.
So how do the attackers operate the system?
- The homepage is hosted on Google Sites and mimics the cryptocurrency website it targets.
- The phishing page also includes a fake FAQ as an added measure to convince victims that the page is genuine and improve SEO.
- When the victim clicks “Download now” or “Sign in”, the user is redirected to another page hosted with Azure Web Apps.
Google Sites is a free web page builder that is part of Google’s suite of online services that allows users to create websites and host them on Google Cloud or other providers. Similarly, Microsoft’s Azure Web Apps is a platform that helps users create, deploy, and manage web apps and websites.
The sites are just landing pages, and their visitors are redirected to real phishing sites when they click on their “login” button.
Attackers constantly;
- with elaborate phishing pages,
- imitating real websites,
- avoiding typos to make the page look real, and
- interacting with victims via a live web chat
trying to steal cryptocurrency wallets and accounts.
What should we do?
- When trying to log into a website, always make sure you are on the official website of the platform.
- Never enter credentials after clicking a link. Go directly to the site where you will log in.
- Users of locally established cryptocurrency wallets should never post recovery statements on any website, for whatever reason.
- Organizations should use a secure web gateway that can detect and block phishing in real time.
- Ranking of Google results is not a security measure. There are always people who abuse Google search SEO.
