Inside the New World of Cryptocurrency Phishing
Nobody likes to be on the tail end of a phishing scam.
For security researchers, however, it can be fun to create a throwaway account to examine the inner dynamics of the scheme.
Older phishing schemes often involved simple emails, usually with misspellings, improbable claims, or other red flags. Newer phishing schemes can involve a variety of web-based and social media products - not just email.
Recently, I had the pleasure of performing counter-reconnaissance on one of the newer phishing scams.
The scam started as a notification on my mobile Facebook account page. The notification read "Atari Token shared your photo."
As a recent purchaser of the new Atari VCS, this sounded suspicious but exciting. The notification came from a Facebook group account. The Facebook group had what appeared to be an official Atari logo on it. I was already a member of the official Atari VCS group, so the cognitive dissonance began to set in: it seemed probable that I was part of a limited market of new Atari VCS users, but the "contest" winnings seemed overly generous.
You may notice that every time you send a package via UPS, FedEx, or other delivery avenues, you will often receive an email or SMS message with an important update about your delivery - a mix of legitimate and illegitimate contact attempts. Depending on your cyber "domain competency," you may or may not recognize which contacts are legitimate and which are not.
That is one security gap that has existed for years and has not yet been closed. Perhaps Microsoft DART could choose this as a future target.
Once the target of the Atari Token phishing scheme clicks on the notification, they are taken to the fake Facebook group page, where they are encouraged to click on a Bitly URL-shortened link.
In this case, the displayed URL was:
The fake post notified you that you had won over $9000 in Atari Coin.
URL shorteners can be used for both legitimate and illegitimate purposes, so depending on your level of cognitive dissonance and skepticism, you maybe encouraged to click on the link inside this Facebook group that you never intentionally signed up for.
The post with the Bitly link inside the fake Facebook group had your Facebook picture. So, already we know that the designers of the scheme knew that you had an Atari account, matched it to your Facebook account, and grabbed your Facebook picture. The exact extraction mechanism is not yet known to me - it could be via scraper, hijacking of a CDN linked to your Facebook account, or malicious API call. There are a lot of possibilities.
Once the scammers' target clicks on the blit.ly link, they are taken to a new web page.
Suspicion begins to creep in as you notice that the landing page is the same color red and has the general Look-And-Feel (LAF) as the "Your PC Is At Risk" scareware web pages.
That page then encourages you to click on a link to associate your "Metawallet" account with the Atari Coin people.
For the curious, you may click on the link and, depending on your pop-up settings and security software, a MetaMask fox-branded pop-up appears with an account name of approximately "Binance Account Team." If you are a Windows user on Microsoft Edge, the default browser security settings warn you that the pop-up looks suspicious. The pop-up window asks you to input your "seed phrase" and MetaMask password (or enter a new password altogether if you do not have an account).
MetaMask is a legitimate cryptocurrency wallet company, but in this case, the scammers have impersonated them. At this point, we decide to have fun, and create a throwaway email account or non-critical email address, and create a MetaMask account to find further details of the scheme. Metamask.io is available as a browser extension for Chrome.
Once the MetaMask seed phrase is generated, you can pop it into the scammer's pop-up window. Like other phishing-scheme-linked web pages and pop-ups, entering the information takes you to... nowhere.
If you take a moment to examine the URL at the top of the pop-up windows, it displays:
(It is usually not a great idea to post exact URL identifiers, but my personal risk appetite tolerates this).
What is your next move, since the page goes nowhere?
Back on the attacker's landing web page, you may see a link to a website called ataritoken.com approximately (fake site taken down at the time of this writing), which is separate from the official ataritokens.com. Or is it atarichain.com? They both look so official. Which web page is the legitimate one owned or managed by Atari? You can peruse any of these pages and sign in or sign up for a new account, if you choose.
Try as you might, you will just not be able to find out how to claim this Atari Coin.
The attackers have your MetaMask seed phrase, and can steal all of your cryptocurrency if you have any. But this attack has it all - it links phishing, social media, cryptowallets, gaming consoles, and possibly Ethereum or PayPal, accounts. A novel form of attack which we may see more of in the future.
Kudos to Facebook for taking down the fake Atari Coin Facebook group within 24 hours.
I attempted to gather additional details, but the original notification now reads: "Couldn't load post. This post may have expired, or it may only be visible to an audience you're not in."
As it should. Somebody must have reported the group to Facebook as suspicious - an easy avenue to slow down would-be attackers.