2FA won’t save you from Phishing — Here’s how

My RSS feeder popped up the below reddit link from the crypto currency subreddit. The poster explains his friend clicked on a phishing website and lost 130K USD in a few minutes.

Now phishing website are common, You would find the clones of all the top website listed in Alexa Top 100. But when it comes to financial website it becomes all the more critical to be very careful on what links you click.

Bittrex is one of the top Crypto Currency exchange and currently lists over 250 types of coins. The victim says he got tricked into clicking on a phishing link that was a displayed as a paid ad on bing. I quickly checked if its shows me a similar ad but it did not, as ads are mostly targeted this is entirely possible.

The phishing website is cleverly named as hxxps://blttrex.com instead of Bittrex and website safely stands behind the cloudfare SSL protection.

Here are the sequence of events that would have occurred resulting in a loss of 130K in a matter of 2 minutes even when the victim had 2FA enabled.

If you provide in the correct credentials, the fake website prompts for the OTP. This OTP is used to login to the real bittrex website in the background unknown to the end user and acts as 2FA. The OTP which the user types is relayed back to the real website, but in the user’s browser it throws an error that the OTP is expired and you need to provide a new OTP.

The fraudster would have next exchanged the existing coins in the victim’s wallet for bitcoin and then for Ether using the Bittrex trading platform. This exchange does not requires an OTP considering how fast the rate changes and is not feasible nor has any real security value. The fraudster would have next attempted to withdraw the money and this is when an OTP is required.

Here the victim was foolish enough to provide the OTP a second time when the phishing website prompted that the OTP has expired. Had he not provided the OTP the second time the transaction would not have been possible. The fraudster used this OTP to complete the withdrawal process and managed to get away with 130K in a matter of minutes.

There are couple of key takeaways from this incident

When you are dealing with financial website where huge amount of money is at stake, BE VERY CAREFUL.

Fraudsters routinely use SSL and content delivery network to pretend that it’s a legitimate website as most users are taught to believe so . READ THE URL CAREFULLY and be sure it’s the website that you want to login to (i, l, o are common alphabets used to trick). In this case blttrex was used instead of bittrex. SSL certificates could be issued from some dubious Certificate Authorities which makes the website looks real so never blindly believe it.

Only provide the OTP when the token is valid for longest time to prevent it from expiring, when in doubt double check before providing the credentials/OTP again a second time.

Read the prompts/errors carefully, especially when logging into your accounts. Think, Did you really provide the wrong password ???

Bookmark important links to avoid searching for them on search engines.

What’s Next ?

Here is the problem with crypto currency once stolen its very difficult to get it back but not so difficult to trace where its going(at least for a while) . Bitcoins and other major crypto coins are not anonymous, but, rather, pseudo-anonymous. Every transaction since the coin was invented is saved in a public ledger. This ledger will contain the address and the amount the address owns but not the identity behind the address. So in this case the fraudster’s address could be tracked from here. You can also use the watch address option on the same page to track every future transaction to that address.

A clever fraudster would use a newly created address to avoid any previous transaction been linked to him which is true in this case as there is only one transaction (the current one where he stole 130K).

Next he would try convert it into FIAT currency by sending it to an exchange but that is unlikely to happen, as it would again leave a trail as most big exchanges are KYC compliant and do not allows anyone to convert crypto coins into FIAT without providing sufficient identification proof. Also when you use the online wallet, the wallet address is attached to your physical identity and any transactions to that address can be tracked.

He would convert the amount into Monero or ZCash which provide better anonymity than bitcoins or Ether and fits in the requirement of private cryptocurrency. In previous such scams, the fraudsters have used the services of currency exchanges like Changelly and Shapeshift that allow one crypto coin to be converted into another coin without going through a trading exchange and providing any identity proof.. To block the transaction from moving forward they should be informed before the fraudster makes the move so that they can flag and block any transaction made on that Ether address. Previous experience says the attacker would use TOR to connect to these services and therefore cannot be tracked back to a physical address.

The fraudster could also use other means like using a a fake identity and exchange it with another unsuspecting victim.

Besides this there is nothing much that can be done to block the money from changing hands. Previously bitcoins have been laundered using third party bitcoin mixing and tumbling services that breaks the connection between a Bitcoin address sending coins and the address(s) they are sent to. One of such services voluntarily closed down operations recently.

The phishing ad should be reported to Microsoft so that the ad is pulled down by reporting it here.

Cloudflare should be informed about the phishing website hosted by it using this form.

I could not find any link to shapeshift and changelly abuse forms. Previously such cases have been reported on their subreddits, where they pick it form.

For traders, Bittrex provides the option to whitelist specific IPs to allow withdrawal.

You can also use the Withdrawal Whitelist to only allow withdrawal to specific addresses.

None of the above two options can protect you if you can’t protect your OTP tokens!!

Other trading exchanges like Kraken use a different form of authentication for withdrawal. When a user tries to withdraw from his wallet, a link is sent to the registered email to approve the withdrawal process. It’s not foolproof but just makes the task of the fraudster difficult.

Bittrex surely need to up their game.

Updated: 18:30 PM UTC: I just checked that website, and now if a user types in BIttrex.com it redirect to Bittrex.com. An important point that I missed earlier was that Bittrex also sits behind cloudflare, the phishing URL was also served by cloudflare. The phishing URL used to directly take the user to the Login page whereas the Bittrex URL takes it to home page. If you now type in the login path with the phishing domain name it would throw a 404 error.

Since both the URL point to the cloudflare servers, it is difficult to identify where this URL points to.

Here is domain history for the phishing domain. The earlier nameserver was pointing to domaincontrol.com which is the name servers owned by GoDaddy and was only recently moved to cloudflare

The fight between the Blackhats and the Whitehats have always been a cat and mouse game. Till the time Bittrex improves their security and adds additional security measures when making withdrawals and end users become more security conscious such fraud cases would keep on popping.

A quick check for possible typo squatting domains shows a couple of more domains the blackhats can use to execute the attack again.