Cryptocurrency Scammers Target Binance Users With Phishing Emails, Seek Google Authenticator Backup Codes

A compromised web server used to host phishing pages is prompting users to update their two factor authentication.

There is an on-going phishing campaign targeting users of the popular cryptocurrency exchange, Binance.

The Fake Binance Email

This fake email claiming to be from Binance is asking users to “upgrade your 2FA” (2-Factor Authentication or Two Factor Authentication).

At this time, it is unclear where the scammers obtained email addresses for this particular campaign, but a member of the MetaCert community brought this to our attention.

If a recipient clicks on the link within the email, they will be sent through a redirect hosted on a compromised Australian bookkeeping web server, leading to a Binance phishing page.

The Binance Phishing Page

Binance Phishing Page Hosted on Compromised Web Server.

The Binance phishing page is hosted on a compromised web server for a Turkish building construction company. In addition to a Binance phishing page, the scammers have also added a subdomain for “ether.ma1yapi.com” possibly for a future phishing campaign.

List of subdomains for compromised web server with two outlier subdomains (binance, ether).

Phishing for Google Authenticator Backup Codes

If a user attempts to login to the Binance phishing page, they are directed to another fake Binance page that asks the user to “Please update your 2FA Google Authentication.”

Binance phishing page alerts users to update their “2FA Google Authentication” as their original email suggested.

Google Authenticator is a software token that is widely used to secure online accounts with two-factor or two-step verification. Instead of receiving a One-Time Password (OTP) via text message, Google Authenticator generates a Time-based One-Time Password (TOTP) using the Initiative for Open Authentication (OATH) standard.

Clicking on the “Google Authentication” link leads to another webpage that asks the user to input their Binance login password along with their “Google Authentication Backup Key.”

This is the Binance phishing page that asks the user to provide their login password and 16-digit backup key for Google Authenticator.

When users set up Google Authenticator for their Binance account, they are given a 16-digit backup key that they are instructed to keep safe and use in the event they lose access to their Google Authenticator application.

The scammers running this phishing scam hope to convince users to provide this 16-digit backup key so they can gain access to Binance accounts that are secured using Google Authenticator.

Phishing for Credentials Again?

After a user submits their login password along with their 16-digit backup key, users are directed to another login page asking for their email and password. It is unclear if this an attempt to trick the user into believing they’ve been logged out after the so-called “2FA Upgrade” or if they’re phishing for credentials once more just to be sure.

The phishing site requests the Binance email and password again, for good measure?

Why Two-Factor/Step Verification Is Important

Despite the efforts of these scammers to steal the Binance backup key for Google Authenticator, using two-factor/step verification is still a critical account security measure. It is important that users don’t rely on text or SMS based two factor authentication. Instead, users should utilize software tokens like Google Authenticator or hardware tokens like the Yubikey to protect their online accounts.

Install Cryptonite & Look For The Green Shield

If you haven’t already, you should install MetaCert’s Cryptonite browser extension. It adds a visual indicator, the Cryptonite shield to your web browser and turns green for verified websites.

Example of the green Cryptonite shield displayed on the real binance.com.

If you visit binance.com, you should look for the green Cryptonite shield. If you don’t see the green shield, you shouldn’t submit your credentials.

Binance Users Should Be Skeptical

Scammers in the cryptocurrency space are very determined and phishing is one of their most successful tools in their toolbox. That’s why it is important for not only Binance users, but most cryptocurrency enthusiasts to be skeptical of unsolicited requests through email, social media and messaging applications like Telegram. In addition to this skepticism, enabling two-factor/step verification and using browser extensions like Cryptonite can thwart these types of phishing attempts. Binance also offers a security feature called “Anti-Phishing Code” that allows users to input a unique code that only they recognize. All future emails from Binance will always contain this unique code, and any fraudulent emails will not.

Binance Security Feature “Anti-Phishing Code” ensures all legitimate emails from Binance contain a unique code created by the user

The MetaCert Protocol is a trust and reputation threat intelligence system for verifying web resources. It addresses a number of attack vectors, encompassing solutions for anti-phishing, child safety, brand protection, crypto-address verification, and news credibility. Find out more about the MetaCert Protocol, ask questions, and leave suggestions on both our White Paper and Technical Paper. You can also join our Telegram community to stay up to date on our blockchain project. Remember to install Cryptonite to protect yourself from phishing scams before it’s too late.