In a recent discovery, the Slow Mist Security Team, in collaboration with Rabby Wallet, has uncovered a sophisticated phishing attack utilizing Google Ads. The attack, which has been meticulously crafted, aims to deceive unsuspecting users into providing their personal information and financial details.
慢雾安全团队揭露钓鱼攻击手法
The Slow Mist Security Team, in partnership with Rabby Wallet, has meticulously analyzed the attack. According to Rabby Wallet, the team did not purchase any Google Ads, yet the fraudulent advertisement redirected users to the legitimate Rabby Wallet website. This raises the question: did the phishing group spend money to promote the real wallet?
Google搜索结果揭示钓鱼广告
Upon examining Google search results, the top two search results were found to be phishing ads. However, the first ad’s link appeared to be the official Rabby Wallet website address (https://rabby.io). The question arises: why would the phishing group do this?
钓鱼广告跳转机制
Through tracking, it was discovered that the phishing ad sometimes redirected to the legitimate official address (https://rabby.io), while in other cases, after changing proxies to different regions, it redirected to a phishing address (http://rebby.io), which would also change over time. At the time of writing this article, the link redirected to a phishing address (https://robby.page[.]link/Zi7X/?url=https://rabby.io?gad_source=1).
技术分析:302重定向
The article explains the 302 HTTP status code, which represents a temporary redirect (Found). When a server receives a client’s request, if it needs to temporarily redirect the request to another location, it returns a 302 status code, along with a Location field in the response header, indicating the new location for the client to redirect to. This type of redirection is temporary.
钓鱼链接地址分析
The article analyzes the钓鱼链接地址 and reveals the following: https://robby.page.link/Zi7X, https://rabby.iopost.ivsquarestudio.com, https://dnovomedia.com?uid=087aa42d-724b-4a1e-bae7-f1f700ce71e6, https://rabbyo.com, and https://rebby.io.
木马分析
The article examines the malware and finds that the attackers are using Russian language. The phishing deployment backend program uses Fastpanel, a virtual host management panel developed by a Russian region hosting company.
钓鱼背后的技术
The article reveals that the phishing group utilized Google’s Firebase short link service’s 302 redirect to deceive Google’s ad display. The process involves creating a Google Ads account, setting up an ad campaign, and using Firebase’s short link service to redirect users to a phishing website.
总结
The Slow Mist Security Team advises users to be cautious when clicking on links and to verify the official website address of Rabby Wallet (https://rabby.io). They also recommend reading Slow Mist’s Blockchain Dark Forest Self-Guard Handbook for more information on blockchain security.
In conclusion, the Slow Mist Security Team’s discovery of this phishing attack highlights the importance of staying vigilant online and being aware of the various methods used by cybercriminals to deceive users.
Views: 0