On July 27th 2018, Aspida’s engineers discovered a very sophisticated cyber attack affecting users of popular crypto trading platform Binance.

Attack was first detected at approx. UTC 9:30 am. During login on binance.com, a silent redirection was initiated, completing login at phishing site blovnamce.com.

The phishing site was an exact replica of original website, with a rarely seen level of accuracy (100%). It was basically indistinguishable, drawing content from actual website of Binance. Phishing site also featured a certificate by the costless “Let’s Encrypt” certificate issuing authority. Domain of phishing site is blovnamce.com, a domain name first appeared to be registered on July 20th 2018, just a week ago.

Victims were navigating in phishing site with commands being forwarded to actual site in real time, using methods under investigation, and Binance’s API could have played a role in attackers handling transactions. Another possible method for this attack is DNS poisoning, (an attack on which DNS servers which resolve domain names like binance.com into IP addresses which finally accept traffic, are filled with wrong data, routing traffic of specific sites to malicious clones), however since this is not reproducible at the moment, there is lack of evidence on this.

After providing username, password and 2 factor authentication code, victims log into the phishing site. Since users are using the same browsers as before the hack, they aren’t prompted to authorize login, because binance remembers browser. However they get an alert that they signed in from a new IP address.

After login victims are greeted with the following pop up window, matching Binance’s original pop-up aesthetics.

Users are prompted to transfer funds to a new type of wallet, with a very long explanation on why Binance is undergoing this alleged wallet migration. Worth noting is that language used is too intimate, and this should be a warning.

First clear sign of the hack for the ones who haven’t noticed the redirection is when victim receives email to confirm the transaction, initiated by IP address 146.185.234.50, locatable somewhere in Russian Federation. Of course most users don’t know their actual IP addresses, and can easily be deceived. 

Findings were reproducible for a period of approximately 60 minutes, when all of a sudden, redirection during login stopped, possibly after being detected by Binance’s security staff, or DNS poisoning being corrected.

Technical details on the attack are still under investigation, and degree of exposure of Binance’s own infrastructure cannot be fully determined. Aspida tried contacting binance, but they refused to acknowledge any breach, and their comments were limited on accusing users of being phished, however a redirection to the malicious site were witnessed by us, only to cease an hour later.

At the moment phishing site blovnamce.com is still online, and reproduces actual content of binance.com, go ahead and visit, but please do not log in!

 

Note that this is not the first time such limited cyber attacks have been reported in crypto platforms, with binance being accused of similar incidents last February, but failing to admit any responsibility.

 

Top Scan Results:

https://observatory.mozilla.org/analyze/www.binance.com

Content Security Policy (CSP) implemented, but allows 'unsafe-eval'

Referrer-Policy header set unsafely to "origin", "origin-when-cross-origin", or "unsafe-url"

Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//..."

Session ID SameSite No

 

More Scan Screenshots