Dissecting a HitBTC phishing site

Welcome to part 2 of 1000 of “Harry follows phishers”

Jul 30, 2018 · 5 min read

One of our bots recently found a new, relatively sophisticated HitBTC phishing kit. We decided to dissect it.

What is HitBTC?

HitBTC is a cryptocurrency exchange doing, on average, over $250mln daily volume.

Like most cryptocurrency exchanges, HitBTC utilizes Cloudflare for DDOS protection and, like most cryptocurrency exchanges, it has a tendency to go down during periods of high traffic. During these times it is not unusual for users to see the Cloudflare anti-DDOS waiting screen, the Cloudflare snapshot page, or other Cloudflare error pages. You will see why this is relevant shortly.

The Phishing Kit

The logic behind this phishing kit is clever as it not only tricks you into handing over your details to steal your login details and 2FA codes, but it makes it quite hard to detect that you weren’t on the legitimate domain.

A screenshot of the phishing login form

The phishing domain is currently hiding behind Cloudflare proxy — we have issued takedown requests — but here’s what a victim would experience.

The screen mimicking the Cloudflare wait screen
The screen mimicking the Cloudflare error screen — which after some seconds redirects you to the legitimate HitBTC domain
A screenshot showing them imitating the 2FA code input — once submitted, they will test it on the legitimate HitBTC in the background

Regardless of whether or not a user has 2FA enabled, once the phishkit has the login details, it will display the Cloudflare 502 error and redirect the user back to the legitimate domain.

What makes this phishkit especially dangerous is that a user is unlikely to detect that they have just been compromised:

Diving Deeper

The domain certificate

When we investigate the backend scripts, we see that they have an application running on port 5000. We know this because a regular error view brings up the traditional Nginx page:

The traditional Nginx error view

However, if we navigate to anything with a path of /^twofa/ then we get a different view:

We can see that they have a separate app running in the backend that communicates with HitBTC.

The known background scripts (called via XHR) are:

Playing the Victim

I created a throwaway HitBTC account (without 2FA enabled) and submitted my details. Here’s the network log:

The network log of the successful phish

As you can see, the background script (called with POST /register) responded with an OK response — meaning their backend app was able to login to my HitBTC account. I was then shown the Cloudflare wait screen and then redirected to the legitimate domain via a 302 Found redirect.

Now that the bad actors have my details, I assumed they would create an API key that would grant them full access to my account. They would then use this access to, perhaps, buy-up shitcoins at a huge margin, like we saw with Binance. That said, at time of writing, no API key was created. It’s possible that they only create API keys if there are any coins or funds in the HitBTC account.

No API keys created just yet after giving my details to the bad actors

What can you do to stay safe?

As you probably gathered by now, the internet is “the wild-west” and even more-so when dealing with cryptocurrency. The attackers are getting increasingly sophisticated and it’s becoming more difficult for you to detect that you are on a phishing website.


The Official MyCrypto Blog

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store