Category: Adversary Intelligence	Industry: Cryptocurrency	Type of Threat: Phishing/Fake Domain	Source*: CoinEgg

 

Executive Summary

• CloudSEK’s Threat Analyst team has discovered an ongoing malicious scheme involving multiple payment gateway domains and Android-based applications, used to lure unsuspecting individuals into a mass gambling scam.
• During the course of the investigation, CloudSEK researchers identified multiple fake domains using the keyword “CoinEgg” and targeting the users of the legitimate cryptocurrency trading platform (https://www.coinegg.com).
• The investigation also found that once a fake domain is taken down, the threat group communicates the same with unsuspecting victims via email and provides alternate domains to access the crypto exchange.
• CoinEgg is a large cryptocurrency exchange based in the UK, offering trading services for digital cryptocurrency assets.

[caption id="attachment_19548" align="alignnone" width="948"] Fake CoinEgg domains that show up on Google Search[/caption]

Analysis and Attribution

How the CoinEgg Scam Works

• CloudSEK researchers’ investigation discovered that the CoinEgg cryptocurrency scam was conducted by threat actors in multiple phases. They’re masquerading as the legitimate CoinEgg crypto trading platform by replicating the dashboard and user interface of the official website, on fake domains of CoinEgg VIP.
• In the first phase of the scam, CoinEgg users are deceived into depositing an amount to the fake wallet, to invest it in a listed cryptocurrency. After which, threat actors freeze the amount in the CoinEgg VIP wallet and prohibit users from retrieving it.
• Multiple fake phishing applications are also being propagated on the web, claiming to be CoinEgg. Generally, these applications, on installation, require unwanted permissions and are reported as malicious on various platforms.
• Threat actors have created several fake CoinEgg domains so far so that taking down any of these domains does not affect their malicious campaign.
• When the threat actors switch domains, they use email and Telegram to communicate the same to users, so that the large-scale scam goes undetected.

Information from the Post

In the process of scamming unsuspecting users, the operators behind CoinEgg VIP implements the following conditions:

• Customers have to pay 22% of their earnings/ deposits as “tax”, before they can reclaim their funds.
• Imposition of “deposit”, if account earnings cross USD 250,000.
• Permanent freeze of assets, if the conditions mentioned above are not fulfilled.

Aggrieved by these conditions, customers of CoinEgg VIP have raised concerns about the operations of the shady cryptocurrency trading website, on multiple platforms. Furthermore, suspicious investigation agencies are also piggybacking on these accusations, promising to help victims of the scam, to reclaim their frozen assets. In the pretense of an investigation, victims are asked to provide asset information and ID card photos, through email communication.

[caption id="attachment_19549" align="alignnone" width="1596"] Mail from suspicious investigation agency dubbed “Global Anti-Fraud Center”[/caption][caption id="attachment_19550" align="alignnone" width="1728"] The homepage of the website https://www[.]ceggcc[.]vip[/caption]

Information from OSINT

From a generic Google search of the keyword “CoinEgg” with the top-level domain (TLD) ‘vip’, CloudSEK researchers discovered various websites that were most likely being used by the scammers.

List of Suspicious Domains from OSINT

CloudSEK researchers discovered the following list of fake CoinEgg domains and their details:

Domain Name	Registry Date	Registrar
https[:]//coinegg[.]fun	24/09/2019	GoDaddy
https[:]//coinegg[.]club	26/09/2021	HiChina
https[:]//m[.]ceggca[.]vip	03/03/2022	GoDaddy France
https[:]//m[.]ceggccxs[.]vip	03/03/2022	GoDaddy Australia
https[:]//www[.]ceggi[.]vip	22/01/2022	NameCheap
https[:]//coinegg[.]vip	14/03/2019	GoDaddy US

[caption id="attachment_19551" align="alignnone" width="948"] Google results displaying “CoinEgg VIP” as a scam[/caption]

CloudSEK researchers observed the following details on the coinegg.vip domain’s page source:

• The website mentions “CoinEgg” on the index page.
• It uses a fake logo of CoinEgg to scam the users.
• They also have a customer service chatbot that redirects users to the domain v[.]chatabc[.]xyz

[caption id="attachment_19552" align="alignnone" width="830"] Chatbot for customer service[/caption]

• However, this domain was later taken down and a new CoinEgg VIP domain was used to conduct the scam: https[:]//m[.]ceggccxs[.]vip/

[caption id="attachment_19553" align="alignnone" width="1365"] Image of alternate domain details provided[/caption]

• In the image provided above, threat actors are announcing a system maintenance, and have provided the users with two alternate domains to access CoinEgg VIP:

Domain	IP Address	Registrar
https[:]//m[.]ceggca[.]vip	108.156.107.108	GoDaddy France
https[:]//m[.]ceggccxs[.]vip	108.156.91.107	GoDaddy Australia

• Both these domains have been registered on GoDaddy on 3 March 2022, and are part of the threat actor’s tactics to register multiple backup domains in the event of a takedown.
• The threat group has created these new domains with a similar user interface as the previous ones.

[caption id="attachment_19554" align="aligncenter" width="1332"] Interface of the new domain[/caption][caption id="attachment_19555" align="aligncenter" width="1075"] Registration on the new domain[/caption]

Information from Security Vendors Including BeVigil

• CloudSEK’s Threat Research team discovered an APK (Android Package) for CoinEgg with the option to download.

[caption id="attachment_19556" align="aligncenter" width="1367"] CoinEgg APK[/caption]

• Once the download is completed, the following message pops up.

[caption id="attachment_19557" align="alignnone" width="1368"] URL to share among friends[/caption]

• Security vendors have tagged the URL as malicious and it is flagged as a phishing site by VirusTotal.

[caption id="attachment_19558" align="alignnone" width="972"] Fake URL flagged as malicious[/caption]

• Multiple trojans like Antiy-AVL, ESET-NOD32, Fortinet, Ikarus, Jiangmin, etc. were also detected in the malicious application. (Please refer to the Appendix)
• CloudSEK’s BeVigil security search engine detected that the application required various permissions listed as dangerous including write settings, system alert window, request install packages, location access and process outgoing calls.

[caption id="attachment_19559" align="aligncenter" width="1408"] The application’s dangerous permission requirements[/caption]

• Another application was also discovered through the domain coinegg[.]club, which had similar malicious permissions enabled.

[caption id="attachment_19560" align="aligncenter" width="1402"] CoinEgg.club requiring dangerous permissions[/caption]

Reach and Financial Impact of the CoinEgg Scam

• CloudSEK researchers found that the CoinEgg VIP group utilizes an active and verified Telegram channel to communicate with its investors and that they have close to 2K subscribers.
• A user has also claimed to have lost INR 50 lakhs to this cryptocurrency scam, including additional costs such as the deposit amount, tax, etc.
• The loss of users to the CoinEgg VIP scam is estimated at INR 10 billion. (Clarification: Through our fake domain monitor and fake app monitor, we observed various similar instances around the world where fake domains and fake apps were used to mimic several legitimate crypto exchanges including CoinEgg. The estimated losses mentioned (INR 10 Billion) is an estimate of the worldwide figure.) 

Impact & Mitigation of CoinEgg Scam

Impact

Mitigation

Multiple fake phishing applications are being propagated on the web, which could result in temporary, and possibly permanent, loss of data. Victims are asked to provide asset information and ID card photos, which contains PII. Such data can be used, in tandem with social engineering or identity theft. The data shared could also be used to gain initial access to the user’s crypto wallet. Financial loss associated with freezing crypto wallets. Fake CoinEgg applications, on installation, require unwanted permissions and are reported to be malicious. It would equip malicious actors with details required to launch sophisticated ransomware attacks.

Identifying phishing websites and subsequently suspending them is the quickest way to mitigate the threat of such scams. Make use of cybersecurity solutions like CloudSEK’s XVigil to continuously scan for more fake websites that pop up on the internet. Report the phishing campaign to the Cyber Crime Cell and provide them with the necessary details to curb the continuous attempts of threat actors. Run aggressive awareness campaigns to educate users/ customers about ongoing scams. This will lead to fewer people falling for these scams.

 

References

• *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
• ^#https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Appendix

[caption id="attachment_19561" align="aligncenter" width="971"] Domain details of ceggca.vip[/caption][caption id="attachment_19562" align="aligncenter" width="1105"] Domain details of ceggccxs.vip[/caption][caption id="attachment_19563" align="aligncenter" width="792"] Domain details of coinegg.fun[/caption][caption id="attachment_19564" align="alignnone" width="862"] Domain details of coinegg.club[/caption][caption id="attachment_19565" align="aligncenter" width="1229"] Users calling ceggi.vip a scam platform[/caption][caption id="attachment_19566" align="aligncenter" width="1132"] Reddit forum posts about avoiding CoinEgg VIP[/caption][caption id="attachment_19567" align="aligncenter" width="1061"] Trojans detected in the fake application[/caption][caption id="attachment_19568" align="aligncenter" width="1165"] Screenshot of fake CoinEgg m(.)ceggccxs(.)vip page[/caption]