Two-Factor Auth Won’t Save You (A Cryptocurrency Phishing Tale)

By Rick Deacon on March 15, 2018

The Hack

Yesterday, one of the largest cryptocurrency exchanges experienced what appeared to be a hack. The outcome was hundreds of accounts selling off all their cryptocurrency altcoins and buying Viacoin(VIA). The user accounts that were selling coins were doing so unauthorized by the users, prompting them to contact Binance about the issue.

Binance reacted positively but denied the existence of a hack, confirming their systems seemed to be functioning as normal. This led to an investigation of what could have gone wrong.

What they discovered was not shocking — hundreds of user accounts had been phished using a visually similar domain. The domain had been discovered weeks before but apparently this was a long con and they had already been stealing the account credentials.

It’s not shocking - phishing is the leading cause of credential loss and stolen accounts. The attack, which creates very similar domains to that of known domains, has been documented for years. Since cryptocurrency is the “new hotness”, it makes sense attackers would target these audiences where millions of dollars are being exchanged everyday.

The attackers were stealing credentials and then creating API keys with their accounts, allowing them free access to quickly make trades on the platform.

Two-Factor Fail

What makes this attack more interesting is that Binance REQUIRES the use of 2-factor authentication via Google Authenticator. Users need to enter a 6 digit code which is sent to their device before they can log into the platform to trade.

That means the attackers not only phished usernames and passwords but they stole the one-time authentication code and kept the session open long enough to conduct trades even months later.

This is a great example of when 2-factor couldn’t quite cut it. The users navigated to the fake Binance page, entered their creds, entered their 2FA, and went on their way without knowing they were in danger.

The outcome was staggering — the APIs created were used to drive up the value of Viacoin from $1.96 per VIA to $233 per VIA, creating an enormous windfall for the hackers who likely owned a ton of Viacoin to begin with.

Light at the End

In the end, Binance, being an upstanding platform, refunded all the fraudulent transactions. The hackers, still unknown at time of writing, may have walked away with a very large sum of money. Given the transactions are public on the blockchain ledger, I’m sure they’re being traced as we speak. I’ll be sure to follow up with any further information as I read it!

What should crypto traders and companies do?

I’ve shed some light on how 2-Factor is not the end all of authentication. Further protections need to be taken in order to ensure these sort of attacks don’t affect other platforms and services you or your company may use. Your best bet is to use Native Browser Isolation to stop ANY web-based attacks, including phishing, ransomware, and malicious scripts.

In the case of this Binance phishing attack, any users of Apozy’s Native Browser Isolation platform NoHack would have encountered a screen similar to what you see below, completely protecting them from any lost credentials.

Author picture

by Rick Deacon

About Apozy

Founded in April of 2014 in San Francisco, we are a venture-backed motley crew of passionate hackers building cybersecurity technologies to make the world's information faster, cleaner and safer to access.