Cryptocurrency Scammers Target Binance Users With Phishing Emails, Seek Google Authenticator Backup Codes
A compromised web server used to host phishing pages is prompting users to update their two factor authentication.
There is an on-going phishing campaign targeting users of the popular cryptocurrency exchange, Binance.
The Fake Binance Email
At this time, it is unclear where the scammers obtained email addresses for this particular campaign, but a member of the MetaCert community brought this to our attention.
If a recipient clicks on the link within the email, they will be sent through a redirect hosted on a compromised Australian bookkeeping web server, leading to a Binance phishing page.
The Binance Phishing Page
The Binance phishing page is hosted on a compromised web server for a Turkish building construction company. In addition to a Binance phishing page, the scammers have also added a subdomain for “ether.ma1yapi.com” possibly for a future phishing campaign.
Phishing for Google Authenticator Backup Codes
If a user attempts to login to the Binance phishing page, they are directed to another fake Binance page that asks the user to “Please update your 2FA Google Authentication.”
Google Authenticator is a software token that is widely used to secure online accounts with two-factor or two-step verification. Instead of receiving a One-Time Password (OTP) via text message, Google Authenticator generates a Time-based One-Time Password (TOTP) using the Initiative for Open Authentication (OATH) standard.
Clicking on the “Google Authentication” link leads to another webpage that asks the user to input their Binance login password along with their “Google Authentication Backup Key.”
When users set up Google Authenticator for their Binance account, they are given a 16-digit backup key that they are instructed to keep safe and use in the event they lose access to their Google Authenticator application.
The scammers running this phishing scam hope to convince users to provide this 16-digit backup key so they can gain access to Binance accounts that are secured using Google Authenticator.
Phishing for Credentials Again?
After a user submits their login password along with their 16-digit backup key, users are directed to another login page asking for their email and password. It is unclear if this an attempt to trick the user into believing they’ve been logged out after the so-called “2FA Upgrade” or if they’re phishing for credentials once more just to be sure.
Why Two-Factor/Step Verification Is Important
Despite the efforts of these scammers to steal the Binance backup key for Google Authenticator, using two-factor/step verification is still a critical account security measure. It is important that users don’t rely on text or SMS based two factor authentication. Instead, users should utilize software tokens like Google Authenticator or hardware tokens like the Yubikey to protect their online accounts.
Install Cryptonite & Look For The Green Shield
If you haven’t already, you should install MetaCert’s Cryptonite browser extension. It adds a visual indicator, the Cryptonite shield to your web browser and turns green for verified websites.
If you visit binance.com, you should look for the green Cryptonite shield. If you don’t see the green shield, you shouldn’t submit your credentials.
Binance Users Should Be Skeptical
Scammers in the cryptocurrency space are very determined and phishing is one of their most successful tools in their toolbox. That’s why it is important for not only Binance users, but most cryptocurrency enthusiasts to be skeptical of unsolicited requests through email, social media and messaging applications like Telegram. In addition to this skepticism, enabling two-factor/step verification and using browser extensions like Cryptonite can thwart these types of phishing attempts. Binance also offers a security feature called “Anti-Phishing Code” that allows users to input a unique code that only they recognize. All future emails from Binance will always contain this unique code, and any fraudulent emails will not.
The MetaCert Protocol is a trust and reputation threat intelligence system for verifying web resources. It addresses a number of attack vectors, encompassing solutions for anti-phishing, child safety, brand protection, crypto-address verification, and news credibility. Find out more about the MetaCert Protocol, ask questions, and leave suggestions on both our White Paper and Technical Paper. You can also join our Telegram community to stay up to date on our blockchain project. Remember to install Cryptonite to protect yourself from phishing scams before it’s too late.