Litebit warned about this phishing attack

Published by Reza Rafati on

The users of the cryptocurrency exchange Litebit got warned today as several users reported that they had received an phishing attack by email. The fun thing is, I actually got targeted by this phishing attack, so I decided to take a quick look at it, and share the details with you.

Phishing email: Litebit Wallet security update

Screenshot of the actual phishing email

First, the Litebit users received an email which states that the KYC is incomplete and actions are needed to complete the Litebit KYC check, if not completed, the Litebit account will get locked.

After check of your LiteBit account settings  we have detect missing KYC information that needs to be updated. ‎‎Edit your account data, ‏‏‎or your account will be Iocked. ‎‏‏‎

Text used in the Litebit phishing attack

The scammers used an title which will certainly attract the attention of Litebit users, but once the users take a closer look at the actual email, a lot of suspicious signs can be found:

  • Email is not sent by Litebit as the email does not add up
  • The hyperlink redirects to a website which isn’t Litebit
  • The exchange will communicate with you via their own portal
  • Litebit doesn’t use broken English

Phishing website

I took a couple of minutes to take a quick look at the phishing website. The following footage shows the address of the phishing site and it also shows the layout the attackers used to phish Litebit users.

Litebit phishing page

IOC

The following paths are used

  • account/login.html
  • account/details.html
  • account/ip.html

The following domain is used

  • litebit[.]eu46365987641[.]info

It is hosted on this IP

  • 185[.]145[.]97[.]49

URLscan report

Scheme

The attackers actually use a very direct scheme. They want to receive the information from the victims as soon as possible in the attack. After getting the email address, they will try to get the two-factor authentication code from the user. If they succeed in this, they will have access to the account and wallets of the compromised user.

  • The attackers try to lure personal information from the victims. This information can be used by the attackers in a later step after getting the 2FA code. They need the user to provide it again for example when the attackers try to change options or try to move cryptocurrency towards their own wallets.
  • Once they have received the information, the attackers will try to login, which will activate the forced two-factor authentication of the crypto exchange.
  • The user will receive by email or sms (or identifier) an pop-up for login with the requested two-factor authentication code. The criminals are trying to get this information from the user in the “IP address validation code” phishing page.
Screenshot of the phishing page

A different version of the same attack was published on social media. The link behind the URL heads towards the phishing page and not to the actual site of the crypto exchange.

Fake URL with redirect to phishing page

Litebit warning

The exchange actually warned their users for this phishing attack by email. They provided some tips on how to recognize these type of attacks.

In recent days we have seen a huge increase in phishing attempts via email, indicating that you have won crypto or being asked to verify your account and/or add missing information. Criminals copy the entire LiteBit website and emails in order to find out your login details and steal your money and crypto from the account.

Litebit response translated to English

Share this information

Reza Rafati

Founder of Cyberwarzone.com.