Fake Crypto Exchanges

Remember: Turning off direct messages from people you are not friends with is one of the most effective ways of avoiding Discord Direct Message scams.

Things have been heating up on the Discord direct message scam front, and with the addition of the #report_scammers channel on the Guild of Guardians Discord it's much easier to report these scams and the Discord moderators are doing a great job banning Discord accounts.

The scam flavour of the month is a bit more generic than the previous Guild of Guardians themed token sale sites.  In this scam the fake webpage is probably re-purposed for many crypto scams.

It starts with a direct message like the one here:



The premise is that there is a giveaway of BTC to attract new users and you have to go to the site and register, then provide the registration code. You can tell this is a generic scam re-purposed to target the Guild of Guardians family, as BTC would be a very odd prize for GoG users... wouldn't you give out ETH, GoG, or NFT's?

DO NOT go to the site, but if you did you'd find something that looks like it could be a cryptocurrency exchange:


There are several different url's that all point to the same template with a different name in the top left corner, for example:


It seems someone has registered a bunch of domains, potentially close in name to some existing exchanges, but all with hyphens in them.  Perhaps just avoid crypto exchanges with hyphens in their domains?  I looked at the following so far:
  • coin-bin[.]com
  • bin-core[.]com
  • crypto-floor[.]com
  • market-token[.]com
  • link-token[.]com
The scammer's strategy is to put up as many websites as they can before the registrars start taking them down.  However, with an almost endless number of combinations and registrars out there who will allow you to host scams until they are reported, it's not an easy task to get ahead of the scammers.

One of the sites, coin-bin[.]com is registered at www.reg[.]ru, and I've emailed their abuse email abuse@reg[.]ru to see if they'll revoke the domain from the owner.

Domaintools reports the following info for the registrant:


There might actually be a thread to pull here if the other sites are register to the same email address, but that could also be a burner address.

Thank you to everyone who is reporting scams either to the report@gogscammtracker.com or the #report_scammers channel in the official Guild of Guardians discord.

Also, if you're interested in writing about a scam experience you've had, reach out.  I'm also looking for some sleuths to help investigate some of these scams to help understand how they work.  It's a great opportunity to learn some cyber/crypto security skills while helping the Guild of Guardians and crypto gaming community.




Comments

  1. AspinDarkfireFebruary 1, 2022 at 8:39 AM

    Looks like the domains are mostly registered to Avgusta Efremeova using the email address avgustaefremova1993@bk[.]ru. Organization is LLC GOOD? Who knows that that is. Sites are hosted at Digital Ocean.

    ReplyDelete
  2. AspinDarkfireFebruary 1, 2022 at 8:42 AM

    Looks like our friend Avgusta has also registered more-bits[.]com.

    ReplyDelete

Post a Comment

Popular posts from this blog

NameSilo Abuse Reporting

Image
On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites: guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars. As an independent researcher, my success with getting sites taken down varies. In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report. I can only imagine the volume of phishing reports this registrar gets, and there
Read more

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.
Read more

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y
Read more