Scammers in recent weeks have employed fake cryptocurrency web pages to attempt to steal money from users, the latest tactic to emerge in what has already been a costly year for crypto-related hacks.
The sham websites - which masquerade as pages for popular services such as Coinbase, Gemini, Kraken and MetaMask - aim to dupe visitors into providing information that helps hackers break into their cryptocurrency wallets, said researchers from the security firm Netskope. Fraudsters deployed search engine optimisation tactics to promote the websites, which used URL addresses that closely resembled the legitimate sites and propelled the fake pages to the first page of Google's search results, the researchers explained.
Google searches for phrases such as "kraken wallet" or "coinbase not working", in the event the Coinbase site appears to be down. It returns results with the phishing links on the first page, a Bloomberg analysis found. A fraudulent version of the Kraken wallet appeared in a Google search in a more prominent position than Kraken's Twitter feed and Play store app.
In another case, a Google search for the "metamask ios" app yielded results that included 1 website that 5 popular antivirus services flagged as malicious, noted the Bloomberg analysis.
"A lot of people are making fake versions of real websites and directing users to those pages so they can take their money," said Erin Plante, senior director of investigations at the blockchain-analysis firm Chainalysis, adding that such techniques have been used in other types of cyberattacks. "A lot of this is age-old hacking."
The findings come amid a flurry of security incidents in cryptocurrency. Financial losses from cryptocurrency-related hacks totalled US$1.9 billion in the first 7 months of this year, said Chainalysis. Hackers stole US$1.2 billion over the same period in 2021, the company said.
Users that clicked on the fake websites were met with messages asking them to participate in a live Q&A with a scammer who pretended to be a customer service representative from a legitimate company, said Gustavo Palazolo, a security researcher at Netskope. During an interaction, the bogus customer service representative asked Palazolo for his phone number in an apparent attempt to locate his cryptocurrency wallet, the researcher said.
"We detect a lot of phishing pages but when I saw the live chat function, that was something that's more serious than the usual threat," he said. "They got back to me within a minute after I sent a message."
The attackers duped Google's search algorithm into including the scam pages on the first page of the search results by frequently posting malicious URLs in comment sections on little-read blogs throughout the Web, Palazolo said. Repeatedly posting links increases the chances that Google will incorporate the URL into its results, he said, adding that the scammers also used Google Sites, a web creation tool, to create their malicious pages, giving the sites an air of credibility.
The number of victims duped as part of the fraud effort was not immediately clear.
Coinbase urged customers to remain on alert for such scams, publishing a security bulletin in July that offered tips on how to detect such fraud efforts. In a statement, a Kraken spokesperson said the company proactively identifies counterfeit websites and apps and works to take them down. The site also has a support page meant to help crypto users avoid fraud.
Neither Gemini nor MetaMask responded to requests for comment.
Numerous bogus websites flagged by Netskope disappeared from search results after Bloomberg flagged the malicious sites to Google.
For most queries related to the mentioned topics, search results rank authoritative and reliable sources as the top results," a Google spokesperson said. "On Google Sites, we explicitly prohibit phishing; and we invest heavily in detecting, deterring and removing abuse from our platforms."
In a separate ruse earlier this year, fraudsters impersonated journalists, crypto apps and a variety of nonfungible token projects on Twitter to steal users' username and password credentials. Bloomberg