Category Archives: :Blog:

For the past year, Netcraft researchers have been tracking a threat actor using generative AI to assist in the creation of 17,000+ phishing and lure sites. These sites operate as infrastructure for phishing attacks that target more than 30 major crypto brands, including Coinbase, Crypto.com, Metamask, Trezor, and others.  

These sites form part of a sophisticated, multi-step attack. The attack utilizes lure sites to hook victims, phishing sites to capture details, and a Traffic Distribution System (TDS) used to mask the relationships between attack infrastructure. With advanced deception techniques, like the ability to capture 2-factor authentication codes, this campaign highlights several of the most innovative capabilities of modern multi-channel phishing threats. 

As phishing attacks become more complex than ever, recent advancements in generative AI further enhance these attacks by enabling threat actors to rapidly automate the creation of unique content that convincingly impersonates a wide variety of targets. The use of gen AI is also evident in other forms of cybercrime, such as donation scams and Advance Fee Fraud. 

Interestingly, many of these AI-generated lure sites do not link to a phishing website, which appears deliberate. These are likely not designed for victims but instead suggest an attempt to flood the Web with similar content, making it harder to find the malicious needles in an AI-generated haystack. Without gen-AI, this new deception technique would be impossible for criminals, even criminal groups, to deploy at scale. For those combatting these threats, utilizing AI, ML, and automated techniques to detect and monitor threats is paramount in identifying and disrupting these nefarious techniques at any scale. 

Anatomy of the attack 

The attack starts with the victim visiting an AI-generated lure site. Lure sites hook unsuspecting victims into a scam and encourage them to complete an action, such as visiting another site, …

Continue reading Sophisticated AI-generated Gitbook lures phishing the crypto industry→

More than $40k lost to crypto drainer scams leveraging IPFS and malicious code hidden behind look-alike CDN imitations.

At Netcraft, we’ve been disrupting cryptocurrency-based scams for over 10 years, including more than 15,000 IPFS phishing takedowns since 2016. As we closely monitor evolving threats and criminal innovation, modern technologies like Web3 APIs have made crypto scams easier and more accessible than ever before.

Cryptocurrencies remain a particular target for criminals due to their decentralized nature; no central arbiter of transactions means that victims have no way to reverse mistakes, nor any avenue to redress any losses incurred.

In this blog post, we’ll cover crypto drainers, a type of payment diversion fraud that takes advantage of Web3 APIs to trick victims into giving away their cryptocurrency coins and tokens. Just two clicks on a copycat website to ‘claim a free token’ could irreversibly transfer all their crypto assets to criminals.

Crypto drainers and Web3 wallet APIs

Web3 wallet APIs are designed to allow websites to interact with users’ cryptocurrency wallets, and function as a bridge between applications and the blockchain. They can only run in a Web3-enabled browser (such as Brave), or with a browser extension like MetaMask. The wallet APIs allow sites to request the user sign a specific message, or to send some cryptocurrency to a specific address.

In a standard crypto draining scam, a cybercriminal will claim to be offering free cryptocurrency tokens to the user, most commonly in the form of minting new coins. This is used to trick the victim into connecting their wallet to a malicious website, which can then obtain the victim’s cryptocurrency address.

Figure 1 – Cryptocurrency drainer at nonextpepe[.]com.

Once connected, the criminal can request signatures or transactions for this wallet. It’s important to note that connecting a wallet …

Continue reading Two clicks from empty – IFPS-powered crypto drainer scams leveraging look-alike CDNs→

In the June 2024 survey we received responses from 1,101,431,853 sites across 269,118,919 domains and 12,865,432 web-facing computers. This reflects an increase of 4.0 million sites, an increase of 981,220 domains, and a decrease of 33,027 web-facing computers.

OpenResty experienced the largest gain of 4.6 million sites (+4.01%) this month, and now accounts for 10.8% (+0.38pp) of sites seen by Netcraft. Cloudflare made the next largest gain of 3.2 million sites (+2.66%).

Apache experienced the largest loss of 4.8 million sites (-2.23%) this month, reducing its market share to 19.3% (-0.51pp). LiteSpeed suffered the next largest loss, down by 1.1 million sites (-2.24%).

Vendor news

• njs 0.8.5 was released on June 25th, primarily containing bug fixes. Earlier this month its source code was moved to GitHub.
• freenginx 1.27.1 was released on June 4th. New features include support for limiting the number of headers in a HTTP request, and support for additional authentication mechanisms in its mail proxying module.
• LiteSpeed 6.3 was released on June 26th, containing new features, improvements, and bug fixes. The new features are mainly security-related.
• Apache Tomcat versions 9.0.90, 10.1.25, and 11.0.0-M21 were released.
• Amazon announced its plan to launch a new AWS region in Taipei, Taiwan by early 2025.

For more information see Active Sites.

… Continue reading June 2024 Web Server Survey→

Being a victim of fraud can be devastating enough, but that’s not always the end of the story. Often, fraud victims can be targeted again — only this time by people claiming that they can recover the victim’s initial losses. 

Recovery scams are a type of advance-fee fraud in which fraudsters promise to help scam victims get their money back in return for an upfront fee. The victim loses even more money by paying the fraudster for a so-called ‘fraud recovery service’ that never materializes. In some variants of this scam, fraudsters claim to be able to recover cryptocurrency, often targeting people who have fallen victim to investment scams. Unfortunately, however, these ‘crypto recovery services’ are not genuine. 

In December of 2023, the FTC issued a warning about the growing trend in recovery scams and how they exploit the most vulnerable populations, those who’ve already fallen victim to scams. So, how are they targeted?  

Finding new ‘customers’ — building credibility

Every successful scam starts by luring potential victims and then building credibility. For recovery scams, criminals advertise in several ways, including social media, copied websites from other scammers, and review sites intended to establish trust for consumers. 

Many recovery scammers contact known victims of fraud, either through social media (for example, if the victim has posted publicly about being scammed) or by obtaining their details from a so-called sucker list — a list of people who have previously fallen for a scam that contains details such as their name, email address, or phone number, which is sold to fraudsters on the dark web. In some cases, the recovery scammer may even be the same person from the first scam. 

Looks can be deceiving — @cybstrive deep dive 

Recovery scams can often be found in the comment sections of platforms …

Continue reading Too good to be true: Beware the temptation of recovery scams →

Being a victim of fraud can be devastating enough, but that’s not always the end of the story. Often, fraud victims can be targeted again — only this time by people claiming that they can recover the victim’s initial losses. 

Recovery scams are a type of advance-fee fraud in which fraudsters promise to help scam victims get their money back in return for an upfront fee. The victim loses even more money by paying the fraudster for a so-called ‘fraud recovery service’ that never materializes. In some variants of this scam, fraudsters claim to be able to recover cryptocurrency, often targeting people who have fallen victim to investment scams. Unfortunately, however, these ‘crypto recovery services’ are not genuine. 

In December of 2023, the FTC issued a warning about the growing trend in recovery scams and how they exploit the most vulnerable populations, those who’ve already fallen victim to scams. So, how are they targeted?  

Finding new ‘customers’ — building credibility

Every successful scam starts by luring potential victims and then building credibility. For recovery scams, criminals advertise in several ways, including social media, copied websites from other scammers, and review sites intended to establish trust for consumers. 

Many recovery scammers contact known victims of fraud, either through social media (for example, if the victim has posted publicly about being scammed) or by obtaining their details from a so-called sucker list — a list of people who have previously fallen for a scam that contains details such as their name, email address, or phone number, which is sold to fraudsters on the dark web. In some cases, the recovery scammer may even be the same person from the first scam. 

Looks can be deceiving — @cybstrive deep dive 

Recovery scams can often be found in the comment sections of platforms …

Continue reading Too good to be true: Beware the temptation of recovery scams →

Criminals are opportunists, ready to exploit any perceived weakness, from humanitarian efforts to presidential campaigns. Recently, Netcraft has been monitoring a series of attacks surrounding the Trump campaign, particularly following two developments: the May 21st announcement of crypto donations and the May 31st trial verdict that led to a huge surge in real donations, overwhelming the Trump campaign’s actual infrastructure.

Following these events, Netcraft has identified donation scams impersonating the Trump campaign, featuring dozens of malicious domains distributed in phishing and smishing campaigns. With millions of emails and texts sent by the real campaign, scammers are exploiting recent interest to trick would-be donors into visiting a lookalike domain.

Netcraft also used our proprietary peer-to-peer messaging reconnaissance to engage in a direct conversation with a “Trump National Committee” scammer, who revealed various points of actionable threat intelligence, including mule bank accounts, payment app details, email addresses, and more. In addition to collecting critical data that can be utilized to disrupt attacks and dismantle infrastructure, this dialogue with the scammers confirms a popular concern that criminals are leveling up and using AI to create better, faster, and more believable scams. 

Let’s examine how quickly criminals deploy these campaigns, adapt to new information, and are getting better while they do. 

Legitimate Crypto Support

As announced in late May, the Trump campaign accepts cryptocurrency donations via Coinbase Payments. This technology is provided through Coinbase and is available to any “federally accredited donor” to make payments via Ethereum-based cryptocurrencies or through balances held at Coinbase including Bitcoin and a large variety of more esoteric coins. 

When the trial verdict was announced on May 31st, the Trump campaign immediately directed all incoming traffic to its site to the donation pages in order to capitalize on support from donors across the country. The campaign collected more …

Continue reading Trumped Up Crypto Scams – Criminals Deploy Trump Donation Scams→

In October 2023, Blackbaud settled charges by 49 state attorneys general and D.C. stemming from a 2020 data breach. They settled for nearly $50 million. Now they have settled with California for $6.75 million. The state issued the following press relea… Continue reading Blackbaud settles California charges over 2020 data breach for $6.75 million→

The Sûreté du Québec announced more arrests today stemming from the data breach disclosed in 2019 affecting Mouvement Desjardins. Some of this site’s previous coverage on that breach is linked from here. Members of the Economic Crimes Investigati… Continue reading More arrests stemming from Desjardins data breach→

Losses to investment scams, romance fraud, and pig butchering reached $4.6 billion in the United States, a 38% increase in 2023. These scams often play out in private peer-to-peer conversations between victim and criminal, well beyond the reach of typical threat intelligence.

Netcraft has explored these scams by leveraging a first-of-its-kind AI-powered solution that communicates with criminals at scale. Responding to lure email and SMS messages, our AI-based personas continue the dialogue to uncover hidden financial and technical infrastructure. Following the money by disrupting money mule networks identified in confirmed scams in real-time could disable entire threat actor networks in one fell swoop.

The reach of these scams runs deep with criminal bank accounts, mule accounts, crypto wallets, and a connected web of malicious infrastructure used to further these scams. We have extracted thousands of criminal money mule bank accounts across 73 countries and more than 600 financial institutions. In one case, we have received 17 mule accounts from one conversation. The top four crypto wallet addresses Netcraft identified have received more than $45 million (1,000 BTC).

Equally, criminals, like the rest of us, are human too. And a long-lived but ultimately fruitless conversation with a Netcraft-controlled persona can cause frustration – as you’ll see later. 

Crime pays. The hours are good, you travel a lot. 

One in six of our conversations with criminals has resulted in details of at least one bank account being sent. Other conversations end with requests to buy gift cards, cryptocurrency payments, online payment providers (like PayPal), or money remittance services (like Western Union). While others fade out over time as the conversation naturally goes cold.

When we see the whole scam play out, on average, criminals send more than 32 messages despite receiving only 15 replies. Standing out in the data is …

Continue reading Flipping the script on pig butchering – $45 million is just the tip of the iceberg→

Most of us have probably never placed a bid at the high-end Christie’s auction house. But 45,798 people are being notified of an attack on Christie’s system between May 8 and May 9 of this year. During the attack, some files were copied. Be… Continue reading Christie’s discloses cyberattack in May→