BSidesSF Recap: A Dive Into Fighting Phishing Scams

At Gemini, securing and protecting customer assets and personal information is our top priority.

To ward off potential scams, Gemini security engineers engage in “threat hunting.” To identify a scammer, they set up dummy accounts, get phished on purpose, and then work backward to identify potential avenues to disrupt the campaign quickly.

Earlier this year, Gemini security analyst Rick Ramgattie presented at the BSidesSF security conference in San Francisco on the perils of phishing. Dubbed “Hook, Line & Tinker: A Dive Into Phishing Company Sites," Ramgattie's 30-minute talk went in-depth into how he roots out malicious actors through his work at Gemini and elsewhere.

This blog highlights a few examples from the presentation.

The Perils of Adversary in the Middle (AiTM) Phishing Attacks:

Adversary in the Middle (AiTM) phishing attacks have become increasingly popular among cybercriminals, posing significant risks to individuals and organizations alike. Unlike traditional phishing methods, AiTM attacks involve a malicious actor configuring a reverse proxy like Evilginx to forward communications between the victim and a legitimate service, often in real time. This sophisticated technique allows attackers to bypass traditional multi-factor authentication (MFA) and gain unauthorized access to sensitive information, making it a particularly dangerous threat in the current cybersecurity landscape.

In the first example presented by Ramgattie , a phishing site took the user’s login info (i.e. username and password) and forwarded it to the actual site. If the credentials were valid, the phishing site would ask the user for their 2FA code and sign into the victim’s account.

“This is why I originally called it a proxy ATO,” Ramgattie said. “My input was being proxied by something I didn’t know about.”

Ramgattie ascertained that the scammers were using automation (ex. 2Captcha) to solve the real site’s CAPTCHA based on the speed between when the user entered their credentials into the phishing site and when the request was received by the real site. This discovery highlighted that traditional anti-automation controls are ineffective against modern AiTM attacks.

Given this discovery, Ramgattie began reviewing the logs for confirmed compromised accounts and determined that the attacker was changing each victim's email address as soon as they signed into their account. At first this appeared to be a persistence tactic, but closer analysis of this fraud control helped him realize this was meant to serve as a means to obtain access to the underlying validation link emailed to the user.

Ramgattie’s solution: Require access to the inbox of the account's current email address before allowing changes. It worked. The attacker could not access the verification link sent to the original email address, and it prevented further losses.

Identifying Phishing Sites through Referer Leaks

Threat actors play the numbers game when trying to lure users into sharing their credentials, deploying hundreds of sites to host their phishing campaigns.

While analyzing phishing campaign sites, Ramgattie learned that attackers sometimes disclose their infrastructure when they attempt to redirect victims to the genuine site.

In Ramgattie’s second phishing example, he found numerous sites configured to steal user login information. Many of these sites featured a Gemini image that redirected the user to the phishing site. When Ramgattie tried to log in with fake or true credentials, he received an error message that contained a link redirecting him to Gemini’s real login page.

In this case, no “adversary in the middle” was orchestrating an account takeover. So Ramgattie checked the back-end for every single request issued on his browser to understand the attacker’s strategy.

“Every time somebody put their credentials into the real site, their back-end was sending an email with the credentials to a collection of email addresses,” Ramgattie said. “They were harvesting the credentials. I was able to figure that out because they did a poor job of setting up their server.”

Ramgattie found more than 200 phishing sites for that campaign. And it often took hosting providers more than a week to take down these sites. Even worse, many email providers offered no means to report the harvesting activity without email headers.

The Brazilian Email Problem

For Ramgattie’s final example, he showed an instance when Gemini users were subjected to an email phishing campaign which claimed they were going to receive crypto assets via airdrop. But there were myriad signs that it was a phishing scam:

For one, the email address included the word “ecomotor,” which has nothing to do with Gemini or its products.

If users didn’t notice and continued to click on the “proceed now” button, it directed them to a landing page that appeared identical to Gemini’s homepage. From there, it prompted them to enter the pin provided on the previous page, and subsequently to connect to a Web3 wallet. If the victim approved the transfer, it would clean out their wallet.

This was an example of a phishing site leveraging Gemini’s brand to swindle users.

Fortunately, MetaMask allows you to report domains that are using sites for phishing campaigns. Reported domains will get automatically blocked if MetaMask users visit the page. From the perspective of protecting users, this will likely be faster than reporting it to hosting providers; at least it was for us.

Onward and Upward!
Team Gemini