Phishing Scam – Luno Cryptocurrency Exchange

Background

The cryptocurrency market has been around for many years but gained a significant amount of interest during the pandemic. Naturally, the criminals followed, as they are always on the lookout for a way to make a quick buck at the expense of others. We identified one such attack targeting customers of the cryptocurrency exchange website luno.com.

The Phish

Vendor impersonation is a tactic commonly used in phishing attacks. In the email, the email appears to be sent from support@luno.com, but was sent from the address luno6022127@un.org.mx.

The Payload

Malicious link: The payload is embedded as a link in the email body. Once they engage, the user is redirected to another URL.

Social Engineering

The sophistication of this attack is apparent in the sentiment employed throughout the email body. The attacker was very clever, as they seemed to know exactly who this attack might work on.

How We Identified the Attack

Themis, IRONSCALES’ artificial intelligence (AI), recognized and prevented this attack via a nexus of detection techniques. A combination of sender anomaly, sentiment analysis, and computer vision analyses culminated with a verdict that it was an attempted malicious phishing attack. Without Themis’ AI capabilities, this dangerous email would likely have reached the mailboxes of the targeted victims.

Identifying and Remediating Advanced Phishing Threats

This attack bypassed the Secure Email Gateway (SEG) because it was sent from a series of previously compromised email addresses and servers. Existing Authentication Technologies such as SPF and DMARC are not developed or equipped to prevent email attacks from legitimate emails. Cybercriminals often take advantage of this with Account Takeover (ATO) attacks.

This is an example of a clever and targeted phishing attack design to bypass a SEG as well as SPF and DMARC authentication technologies. These legacy technologies are good at detecting large scale phishing campaigns coming from suspicious or blacklisted domains and servers. However, they remain weak in their ability to identify more advanced email threats like the one described here.

We invite you to learn more about how IRONSCALES can fight against this and many other types of phishing attacks by requesting a demo today.