Coinbase, Gemini to MetaMask- Crypto Scammers Use Fake Websites to Dupe Customers

Scammers in recent weeks have employed up fake cryptocurrency web pages to attempt to steal money from users, the latest tactic to emerge in what's already been a costly year for crypto-related hacks.

The sham websites – which masquerade as pages for popular services such as Coinbase, Gemini, Kraken and MetaMask – aim to dupe visitors into providing information that helps hackers break into their cryptocurrency wallets, according to researchers from the security firm Netskope Inc. Fraudsters deployed search-engine optimization tactics to promote the websites, which used URL addresses that closely resembled the legitimate sites and propelled the fake pages to the first page of Google's search results, the researchers said.

Google searches for phrases such as “kraken wallet” or “coinbase not working,” in the event the Coinbase site appears to be down, return results with the phishing links on the first page, according to a Bloomberg analysis. A fraudulent version of the Kraken wallet appeared in a Google search in a more prominent position than Kraken's Twitter feed and Play store app.

In another case, a Google search for the “metamask ios” app yielded results that included one website that five popular antivirus services flagged as malicious, according to the Bloomberg analysis.

“A lot of people are making fake versions of real websites and directing users to those pages so they can take their money,” Erin Plante, senior director of investigations at the blockchain-analysis firm Chainalysis Inc., adding that such techniques have been used in other types of cyberattacks. “A lot of this is age-old hacking. ”

The findings come amid a flurry of security incidents in cryptocurrency. Financial losses from cryptocurrency-related hacks totaled $1.9 billion in the first seven months of this year, according to Chainalysis. Hackers stole $1.2 billion over the same period in 2021, the company said.

Users that clicked on the fake websites were met with messages asking them to participate in a live Q&A with a scammer who pretended to be a customer service representative from a legitimate company, Gustavo Palazolo, a security researcher at Netskope, said in an interview. During one interaction, the bogus customer service representative asked Palazolo for his phone number in an apparent attempt to locate his cryptocurrency wallet, the researcher said.

“We detect a lot of phishing pages but when I saw the live chat function, that was something that's more serious than the usual threat,” he said. “They got back to me within a minute after I sent a message.”

The attackers duped Google's search algorithm into including the scam pages on the first page of the search results by frequently posting malicious URLs in comment sections on little-read blogs throughout the web, Palazolo said. Repeatedly posting links increases the chances that Google will incorporate the URL into its results, he said, adding that the scammers also used Google Sites, a web creation tool, to create their malicious pages, giving the sites an air of credibility.

The number of victims duped as part of the fraud effort wasn't immediately clear.

Coinbase urged customers to remain on alert for such scams, publishing a security bulletin in July that offered tips on how to detect such fraud efforts. In a statement, a Kraken spokesperson said the company proactively identifies counterfeit websites and apps and works to take them down. The site also has a support page meant to help crypto users avoid fraud.

Neither Gemini nor MetaMask responded to requests for comment.

Numerous bogus websites flagged by Netskope disappeared from search results after Bloomberg flagged the malicious sites to Google.

“For most queries related to the mentioned topics, search results rank authoritative and reliable sources as the top results,” a Google spokesperson said in an email. “On Google Sites, we explicitly prohibit phishing and we invest heavily in detecting, deterring, and removing abuse from our platforms.”

In a separate ruse earlier this year, fraudsters impersonated journalists, crypto apps and a variety of nonfungible token projects on Twitter to steal users' username and password credentials.