The users of the cryptocurrency exchange Litebit got warned today as several users reported that they had received an phishing attack by email. The fun thing is, I actually got targeted by this phishing attack, so I decided to take a quick look at it, and share the details with you.
Phishing email: Litebit Wallet security update
First, the Litebit users received an email which states that the KYC is incomplete and actions are needed to complete the Litebit KYC check, if not completed, the Litebit account will get locked.
After check of your LiteBit account settings we have detect missing KYC information that needs to be updated. Edit your account data, or your account will be Iocked.
Text used in the Litebit phishing attack
The scammers used an title which will certainly attract the attention of Litebit users, but once the users take a closer look at the actual email, a lot of suspicious signs can be found:
- Email is not sent by Litebit as the email does not add up
- The hyperlink redirects to a website which isn’t Litebit
- The exchange will communicate with you via their own portal
- Litebit doesn’t use broken English
Phishing website
I took a couple of minutes to take a quick look at the phishing website. The following footage shows the address of the phishing site and it also shows the layout the attackers used to phish Litebit users.
IOC
The following paths are used
- account/login.html
- account/details.html
- account/ip.html
The following domain is used
- litebit[.]eu46365987641[.]info
It is hosted on this IP
- 185[.]145[.]97[.]49
URLscan report
Scheme
The attackers actually use a very direct scheme. They want to receive the information from the victims as soon as possible in the attack. After getting the email address, they will try to get the two-factor authentication code from the user. If they succeed in this, they will have access to the account and wallets of the compromised user.
- The attackers try to lure personal information from the victims. This information can be used by the attackers in a later step after getting the 2FA code. They need the user to provide it again for example when the attackers try to change options or try to move cryptocurrency towards their own wallets.
- Once they have received the information, the attackers will try to login, which will activate the forced two-factor authentication of the crypto exchange.
- The user will receive by email or sms (or identifier) an pop-up for login with the requested two-factor authentication code. The criminals are trying to get this information from the user in the “IP address validation code” phishing page.
A different version of the same attack was published on social media. The link behind the URL heads towards the phishing page and not to the actual site of the crypto exchange.
Litebit warning
The exchange actually warned their users for this phishing attack by email. They provided some tips on how to recognize these type of attacks.
In recent days we have seen a huge increase in phishing attempts via email, indicating that you have won crypto or being asked to verify your account and/or add missing information. Criminals copy the entire LiteBit website and emails in order to find out your login details and steal your money and crypto from the account.
Litebit response translated to English