Quantify the value of Netskope One SSE – Get the 2024 Forrester Total Economic Impact™ study

fechar
fechar
  • Por que Netskope divisa

    Mudando a forma como a rede e a segurança trabalham juntas.

  • Nossos clientes divisa

    A Netskope atende a mais de 3.400 clientes em todo o mundo, incluindo mais de 30 das empresas da Fortune 100

  • Nossos parceiros divisa

    Fazemos parceria com líderes de segurança para ajudá-lo a proteger sua jornada para a nuvem.

Líder em SSE. Agora é líder em SASE de fornecedor único.

Descubra por que a Netskope estreou como líder no Quadrante Mágico™ do Gartner® para Single-Vendor SASE

Obtenha o Relatório
Do Ponto de Vista do Cliente

Leia como os clientes inovadores estão navegando com sucesso no cenário atual de mudanças na rede & segurança por meio da plataforma Netskope One.

Baixe o eBook
Do Ponto de Vista do Cliente
A estratégia de comercialização da Netskope, focada em Parcerias, permite que nossos Parceiros maximizem seu crescimento e lucratividade enquanto transformam a segurança corporativa.

Saiba mais sobre os parceiros da Netskope
Grupo de diversos jovens profissionais sorrindo
Sua Rede do Amanhã

Planeje seu caminho rumo a uma rede mais rápida, segura e resiliente projetada para os aplicativos e usuários aos quais você oferece suporte.

Receba o whitepaper
Sua Rede do Amanhã
Netskope Cloud Exchange

O Cloud Exchange (CE) da Netskope oferece aos clientes ferramentas de integração poderosas para tirar proveito dos investimentos em estratégias de segurança.

Saiba mais sobre o Cloud Exchange
Vista aérea de uma cidade
  • Security Service Edge divisa

    Proteger-se contra ameaças avançadas e com nuvens e salvaguardar os dados em todos os vetores.

  • SD-WAN divisa

    Confidentemente, proporcionar acesso seguro e de alto desempenho a cada usuário remoto, dispositivo, site, e nuvem.

  • Secure Access Service Edge divisa

    O Netskope One SASE oferece uma solução SASE nativa da nuvem, totalmente convergente e de fornecedor único.

A plataforma do futuro é a Netskope

O Security Service Edge (SSE), o Cloud Access Security Broker (CASB), o Cloud Firewall, o Next Generation Secure Web Gateway (SWG) e o Private Access for ZTNA foram integrados nativamente em uma única solução para ajudar todas as empresas em sua jornada para a arquitetura Secure Access Service Edge (SASE).

Vá para a plataforma
Vídeo da Netskope
Next Gen SASE Branch é híbrida — conectada, segura e automatizada

Netskope Next Gen SASE Branch converge o Context-Aware SASE Fabric, Zero-Trust Hybrid Security e SkopeAI-Powered Cloud Orchestrator em uma oferta de nuvem unificada, inaugurando uma experiência de filial totalmente modernizada para empresas sem fronteiras.

Saiba mais sobre Next Gen SASE Branch
Pessoas no escritório de espaço aberto
SASE Architecture For Dummies (Arquitetura SASE para leigos)

Obtenha sua cópia gratuita do único guia de planejamento SASE que você realmente precisará.

Baixe o eBook
Livro eletrônico SASE Architecture For Dummies (Arquitetura SASE para leigos)
Mude para serviços de segurança na nuvem líderes de mercado com latência mínima e alta confiabilidade.

Conheça a NewEdge
Rodovia iluminada através de ziguezagues na encosta da montanha
Permita com segurança o uso de aplicativos generativos de IA com controle de acesso a aplicativos, treinamento de usuários em tempo real e a melhor proteção de dados da categoria.

Saiba como protegemos o uso de IA generativa
Ative com segurança o ChatGPT e a IA generativa
Soluções de zero trust para a implementação de SSE e SASE

Conheça o Zero Trust
Passeio de barco em mar aberto
Netskope obtém alta autorização do FedRAMP

Escolha o Netskope GovCloud para acelerar a transformação de sua agência.

Saiba mais sobre o Netskope GovCloud
Netskope GovCloud
  • Recursos divisa

    Saiba mais sobre como a Netskope pode ajudá-lo a proteger sua jornada para a nuvem.

  • Blog divisa

    Saiba como a Netskope permite a transformação da segurança e da rede por meio do serviço de acesso seguro de borda (SASE)

  • Eventos e workshops divisa

    Esteja atualizado sobre as últimas tendências de segurança e conecte-se com seus pares.

  • Security Defined divisa

    Tudo o que você precisa saber em nossa enciclopédia de segurança cibernética.

Podcast Security Visionaries

Previsões para 2025
Neste episódio de Security Visionaries, temos a companhia de Kiersten Todt, presidente da Wondros e ex-chefe de gabinete da Agência de Segurança Cibernética e de Infraestrutura (CISA), para discutir as previsões para 2025 e além.

Reproduzir o podcast Navegue por todos os podcasts
Previsões para 2025
Últimos blogs

Leia como a Netskope pode viabilizar a jornada Zero Trust e SASE por meio de recursos de borda de serviço de acesso seguro (SASE).

Leia o Blog
Nascer do sol e céu nublado
SASE Week 2024 On-Demand

Aprenda a navegar pelos últimos avanços em SASE e confiança zero e explore como essas estruturas estão se adaptando para enfrentar os desafios de segurança cibernética e infraestrutura

Explorar sessões
SASE Week 2024
O que é SASE?

Saiba mais sobre a futura convergência de ferramentas de redes e segurança no modelo predominante e atual de negócios na nuvem.

Saiba mais sobre a SASE
  • Empresa divisa

    Ajudamos você a antecipar os desafios da nuvem, dos dados e da segurança da rede.

  • Carreira divisa

    Junte-se aos mais de 3.000 membros incríveis da equipe da Netskope que estão criando a plataforma de segurança nativa da nuvem líder do setor.

  • Customer Solutions divisa

    Estamos aqui junto com você a cada passo da sua trajetória, assegurando seu sucesso com a Netskope.

  • Treinamento e credenciamentos divisa

    Os treinamentos da Netskope vão ajudar você a ser um especialista em segurança na nuvem.

Apoiando a sustentabilidade por meio da segurança de dados

A Netskope tem o orgulho de participar da Visão 2045: uma iniciativa destinada a aumentar a conscientização sobre o papel da indústria privada na sustentabilidade.

Saiba mais
Apoiando a sustentabilidade por meio da segurança de dados
Ajude a moldar o futuro da segurança na nuvem

Na Netskope, os fundadores e líderes trabalham lado a lado com seus colegas, até mesmo os especialistas mais renomados deixam seus egos na porta, e as melhores ideias vencem.

Faça parte da equipe
Vagas na Netskope
Netskope dedicated service and support professionals will ensure you successful deploy and experience the full value of our platform.

Ir para Soluções para Clientes
Netskope Professional Services
Proteja sua jornada de transformação digital e aproveite ao máximo seus aplicativos de nuvem, web e privados com o treinamento da Netskope.

Saiba mais sobre Treinamentos e Certificações
Grupo de jovens profissionais trabalhando

Attackers Continue to Abuse Google Sites and Microsoft Azure to Host Cryptocurrency Phishing

Sep 15 2022

Summary

On August 9, 2022, we released a blog post about a phishing campaign where attackers were abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from different targets, namely Coinbase, MetaMask, Kraken, and Gemini. The attackers were abusing SEO techniques to spread the pages and using advanced techniques to steal data, such as using live chats to interact with victims.

Over the past month, the attackers responsible for the phishing campaign have proven to be resilient to take-downs. Most of the URLs we found in August are still active and the attacker is taking measures to keep the operation online. Furthermore, we found new phishing pages with the same targets disclosed in the initial research, and new phishing pages mimicking Binance, Crypto.com, Gate.io, KuCoin, PancakeSwap, and Shakepay

We found the following target distribution analyzing the URLs hosted on Google Sites:

Graph showing the percentage of phishing targets represented in this research

In this blog post, we will provide a follow up to the blog post we released in August, showing what has changed since then.

How the attack works

  1. The victim searches for a cryptocurrency website using specific keywords (e.g. “have MetaMask account”) and the phishing page is displayed first or among the first results.
  2. The first phishing page mimics the original website and contains a lot of elements to boost SEO. This stage redirects the victim to another phishing website via links within the page.
  3. The second phishing page tries to steal sensitive information, such as the cryptocurrency account credentials or secret recovery phrases.
  4. The last page also comes with a live web chat where the attacker interacts with the victim, likely to steal more sensitive data.
Cryptocurrency phishing attack flow summarydiagram

Attacker’s resilience

Analyzing the URLs we found in August, we noticed that over the past month:

  1. All of the URLs used in the second stage were taken down;
  2. 75% of the first stage URLs remain online, and for those URLs the attacker either:
    1. Removed the second stage URL;
    2. Added a new online second stage URL.

The Google Sites information banner indicates that the attacker is constantly updating the first stage pages.

Screenshot of. Change history from multiple phishing pages.
Change history from multiple phishing pages.

In summary, the attacker is replacing the Microsoft Azure URLs with new ones to remain operant. Also, in some cases the attacker just removed the offline URL instead of adding a new one, likely to avoid the user being redirected to an offline page that was flagged as phishing while they are working to get another page online.

New targets

Aside from the companies we have previously identified, we found new Google Sites URLs for Binance, Crypto.com, Gate.io, KuCoin, PancakeSwap, and Shakepay

These new URLs all follow the same attack pattern, using Google Sites to mimic the original website. However, only the Crypto.com phishing page contains a second stage URL at this point. All of the other pages were either redirecting the user to the original website being mimicked or not redirecting anywhere. It’s unclear whether the attacker is still developing the second stage for the other targets or if they were already taken down and removed from the page. 

Crypto.com

This phishing page works the same as the others, by mimicking the original website in the first stage, created with Google Sites.

Screenshot of Crypto.com phishing created with Google Sites.
Crypto.com phishing created with Google Sites.

It then redirects the victim to the second stage, hosted with Microsoft Azure Web App, to a page that tries to steal the user’s credentials.

Screenshot of Crypto.com phishing created with Microsoft Azure Web App.
Crypto.com phishing created with Microsoft Azure Web App.

After entering the username and password, the webpage requests the victim’s phone number.

Screenshot of Crypto.com phishing requesting the victim’s phone number.
Crypto.com phishing requesting the victim’s phone number.

After entering the phone number, the page shows a fake error message and asks the victim to contact them via web chat, which is the same behavior found previously.

Screenshot of Crypto.com phishing displaying a fake error message.
Crypto.com phishing displaying a fake error message.

Binance

Below, is an example of a website hosted on Google Sites that mimics Binance.

Screenshot of Website mimicking Binance, following the same phishing pattern.
Website mimicking Binance, following the same phishing pattern.

Gate.io

Below, is an example of a website hosted on Google Sites that mimics Gate.io.

Screenshot of Website mimicking Gate.io, following the same phishing pattern.
Website mimicking Gate.io, following the same phishing pattern.

KuCoin

Below, is an example of a website hosted on Google Sites that mimics KuCoin.

Screenshot of Website mimicking KuCoin, following the same phishing pattern.
Website mimicking KuCoin, following the same phishing pattern.

ShakePay

Below, is an example of a website hosted on Google Sites that mimics ShakePay.

Screenshot of Website mimicking Shakepay, following the same phishing pattern
Website mimicking Shakepay, following the same phishing pattern

PancakeSwap

Below, is an example of a website hosted on Google Sites that mimics PancakeSwap.

Screenshot of Website mimicking PancakeSwap, following the same phishing pattern.
Website mimicking PancakeSwap, following the same phishing pattern.

New URLs, Same Targets

Additionally, we found 66 new Google Sites URLs with the same targets disclosed in the first research, which are Coinbase, MetaMask, Kraken, and Gemini.

We also found a new template used for MetaMask phishing.

Screenshot of MetaMask phishing page created with Google Sites.
MetaMask phishing page created with Google Sites.

The second stage works exactly like the ones we spotted previously, but it’s using a new template as well.

Screenshot of Second stage of MetaMask phishing, hosted with Microsoft Azure Web App.
Second stage of MetaMask phishing, hosted with Microsoft Azure Web App.

The “Import Wallet” button leads to a modal that asks for the secret recovery phrase for MetaMask.

Screenshot of Modal asking for the secret recovery phrase
Modal asking for the secret recovery phrase

The “Sign In” option contains some slight differences compared to the phishing we spotted previously, but it has the same goal of stealing the victim’s credentials.

Screenshot of MetaMask phishing trying to steal user’s credentials.
MetaMask phishing trying to steal user’s credentials.

It also comes with the same live chat feature we previously mentioned, but this time it opens in a popup window.

Screenshot of Popup window with a live chat between the attacker and victim.
Popup window with a live chat between the attacker and victim.

According to the information button provided by Google Sites, this page was likely changed on August 23, 2022.

Conclusions

Based on this additional research, we believe attackers will continue to use this pattern, as they can create multiple accounts in these cloud services and easily replicate the phishing templates using different URLs. Also, by dividing this phishing in two stages (Google Sites and Microsoft Azure), the attackers are creating more resilience, since they can simply replace an offline URL to another one to keep the operation online.

Netskope strongly recommends users to directly access the website they are trying to reach instead of searching or clicking on any links throughout the internet. For organizations, we also recommend the usage of a secure web gateway, capable of detecting and blocking phishing in real time.

Protection

Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators. Netskope Next Gen SWG inspects all HTTP and HTTPS traffic, using a combination of threat intelligence, signatures, heuristics, and machine learning to identify and block phishing pages in real time.

IOCs

First stage URLs

hxxps://sites.google[.]com/crypto-coinexchange.com/geminiexchangee/home

hxxps://sites.google[.]com/cryptocomlog.com/crypto-com-login/home

hxxps://sites.google[.]com/365cryptocurrencies.com/coinbasewallet/home

hxxps://sites.google[.]com/365cryptocurrencies.com/kucoin-logi/

hxxps://sites.google[.]com/365cryptocurrencies.com/kucoinucentersignin/

hxxps://sites.google[.]com/askmewallet.com/binancewalletextension/home

hxxps://sites.google[.]com/askmewallet.com/geminilogin/home

hxxps://sites.google[.]com/askmewallet.com/pancakeswaplogin/home

hxxps://sites.google[.]com/askmewallet.com/shakepaylogin/home

hxxps://sites.google[.]com/askscryptous.com/coinbaselogin/home

hxxps://sites.google[.]com/askscryptous.com/coinbasewallet/home

hxxps://sites.google[.]com/askscryptous.com/geminisignin/home

hxxps://sites.google[.]com/askscryptous.com/metamask-login/home

hxxps://sites.google[.]com/askscryptous.com/metamasklogin/home

hxxps://sites.google[.]com/askscryptous.com/metamasksignin/home

hxxps://sites.google[.]com/askscryptous.com/metamaskwalletlogin/home

hxxps://sites.google[.]com/bitcoinbasepro.com/coinbaselogincom/

hxxps://sites.google[.]com/coinbasecom.org/coinbaselogin/home

hxxps://sites.google[.]com/coinbaseloginn.com/coinbaseloginn/home

hxxps://sites.google[.]com/coinbselogin.com/coinbaselogin/home

hxxps://sites.google[.]com/coindesklogin.com/coinbase-wallet/home

hxxps://sites.google[.]com/coinlogins.com/coinbase-down/home

hxxps://sites.google[.]com/coinsprologin.com/coinbasewallet-login/home

hxxps://sites.google[.]com/crypto-coinexchange.com/binance-exchange/home

hxxps://sites.google[.]com/crypto-coinexchange.com/coinbaseexchange/home

hxxps://sites.google[.]com/crypto-coinexchange.com/krakenexchange/home

hxxps://sites.google[.]com/crypto-coinwallet.com/coinbase-wallet/home

hxxps://sites.google[.]com/crypto-coinwallet.com/coinbasewallet/home

hxxps://sites.google[.]com/crypto-coinwallet.com/geminiwallet/home

hxxps://sites.google[.]com/crypto-coinwallet.com/metamask-wallet/home

hxxps://sites.google[.]com/cryptobitwallets.com/metamasksignin/home

hxxps://sites.google[.]com/cryptobitwallets.com/metamaskwallet/home

hxxps://sites.google[.]com/cryptocom-login.com/cryptocomloginin/home

hxxps://sites.google[.]com/cryptocomlog.com/cryptocom-login/home

hxxps://sites.google[.]com/cryptologn.com/coinbaseprologin

hxxps://sites.google[.]com/cryptologn.com/coinbasewallet/

hxxps://sites.google[.]com/cryptologn.com/metamasksignin

hxxps://sites.google[.]com/cryptowalletbit.com/blockfi-wallet/home

hxxps://sites.google[.]com/cryptowalletsusa.com/metamasklogin/home

hxxps://sites.google[.]com/cryptowalletts.com/pancake-swap/home

hxxps://sites.google[.]com/csscrypton.com/crypto-login/home

hxxps://sites.google[.]com/ecryptowalletpay.com/coinbase-wallet-login/home

hxxps://sites.google[.]com/gateiolog.com/gateiologin/home

hxxps://sites.google[.]com/kucoin-log.com/kucoinlogini/home

hxxps://sites.google[.]com/kucoinguide.com/kucoinlogin/

hxxps://sites.google[.]com/kucoinguide.com/kucoinloginsignin/

hxxps://sites.google[.]com/metaipmasklogin.com/metamasklogin/home

hxxps://sites.google[.]com/metamamk.com/metamask-log-in/home

hxxps://sites.google[.]com/metamask-ios.com/metamask-extensions/home

hxxps://sites.google[.]com/metamask-ios.com/metamask-login/home

hxxps://sites.google[.]com/metamask-ios.com/metamaskextension/home

hxxps://sites.google[.]com/metamask-ios.com/metamaskloginin/home

hxxps://sites.google[.]com/metamask-ios.com/metamasksigninn/home

hxxps://sites.google[.]com/metamask-log.com/metamask-login/home

hxxps://sites.google[.]com/metamask-log.com/metamask-signin/home

hxxps://sites.google[.]com/metamask-log.com/metamasklogin/home

hxxps://sites.google[.]com/metamask-log.com/metamasksignin/home

hxxps://sites.google[.]com/metamaskexts.com/metamasklogin/home

hxxps://sites.google[.]com/metamaskexts.com/metamaskloginn/home

hxxps://sites.google[.]com/metamaskios.com/metamask-login/home

hxxps://sites.google[.]com/metamaskios.com/metamasksignin/home

hxxps://sites.google[.]com/metamaskios.com/metamaskwallet/home

hxxps://sites.google[.]com/metanimasklogin.com/metamasklogin/home

hxxps://sites.google[.]com/metanimasklogin.com/metamasksignin/home

hxxps://sites.google[.]com/metmasklogin.com/metamask-extension/home

hxxps://sites.google[.]com/metmasklogin.com/metamask-login/home

hxxps://sites.google[.]com/metmasklogin.com/metamaskio-wallet/home

hxxps://sites.google[.]com/metmsk-logi.com/metamasksignin/home

hxxps://sites.google[.]com/meutmask-log.com/metamaskwallet/home/

hxxps://sites.google[.]com/mynewcoins.com/metamasklogin/home

hxxps://sites.google[.]com/myprowallets.com/metamask-extension/home

hxxps://sites.google[.]com/usacoinlogin.com/metamasksignin/home/

hxxps://sites.google[.]com/view/coinbasewallett/home

hxxps://sites.google[.]com/view/gemini-login-usa/

hxxps://sites.google[.]com/view/gemini-login-usa/home

hxxps://sites.google[.]com/view/geminiexchangee/

hxxps://sites.google[.]com/view/geminiwallet/

hxxps://sites.google[.]com/view/metamask-extention/home

hxxps://sites.google[.]com/view/metamaskloginwallet

hxxps://sites.google[.]com/view/metamaskwalletloginus/

hxxps://sites.google[.]com/view/metamaskwallt/home

Second stage URLs

hxxps://caerytos-log.azurewebsites[.]net/

hxxps://cetryeyptos-log.azurewebsites[.]net/

hxxps://coainasbe-log.azurewebsites[.]net/

hxxps://coianasbe-wkalle.azurewebsites[.]net/

hxxps://coinasnbe-walle.azurewebsites[.]net/

hxxps://coinnbass-log.azurewebsites[.]net/

hxxps://crytpeios-log.azurewebsites[.]net/

hxxps://gemnminin-log.azurewebsites[.]net/

hxxps://krakaken-log.azurewebsites[.]net/

hxxps://maataamaask.azurewebsites[.]net/

hxxps://mamametamask-walle.azurewebsites[.]net/

hxxps://metidismakskklo.azurewebsites[.]net/

hxxps://mmetatasamask-log.azurewebsites[.]net/

hxxps://mmetatsamasks-walle.azurewebsites[.]net/

author image
Gustavo Palazolo
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.

Mantenha-se informado!

Subscribe for the latest from the Netskope Blog