Jump to content

FTX detected as a false positive


NeilPatel
 Share

Recommended Posts

Hi, for some odd reason when someone goes to FTX.US or FTX.com it is detecting the site as a spam/fake site when it isn't.

As you can see from the .mov file it shows it as FTX.cool when the user is not on FTX.cool

FTX is a financial exchange. It's a popular brand and the company even has a sporting arena that the NBA team, Miami Heat, plays in, FTX Arena https://en.wikipedia.org/wiki/FTX_Arena (Normally I wouldn't say this, but I am more so trying to show how it is a legitimate site/company)

Thanks for your time.

Link to post
Share on other sites

  • Root Admin

As you can see the block is not from that Domain. That IP address is not registered as any known Domain.

image.png

 

This is the FTX.US site with different IP addresses.

image.png

 

image.png

 

Maybe there is a bad Ad or other content on the site or in your cache somewhere?

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

Just now, AOCDELL said:

Am I missing something here?

Look at the certificate.

Included in the SAN list is ftx.cool which is DEFINITELY a phishing site.

ftx.cool is a mirror image of the genuine site at ftx.com

 

11945876_screenshotofcertificateofftx_cool.JPG.599b7d86fa4ed35e85cb6173f4908d2c.JPG

 

 

Yes, the IP 47.57.185.149 returns as Alibaba static address in https://whatismyipaddress.com/ip/47.57.185.149

How about all the ftx.[insert suffix here] addresses?

 

Link to post
Share on other sites

2 minutes ago, AOCDELL said:

Yes, the IP 47.57.185.149 returns as Alibaba static address in https://whatismyipaddress.com/ip/47.57.185.149

How about all the ftx.[insert suffix here] addresses?

 

 

This is the message that is displayed when a user reaches the 'login' popup from any of the fake copies of the real ftx.com site. It is a warning to check that the site being visited is https://ftx.com, and not one of the many fake phishing copycat sites.

The mystery to me is how all of these fake versions of the trading platform site can be hailing from Alibaba's static IP address, if it really is an Alibaba address.

 

image.png.88a21428692055f16506b7777eb877d6.png

 

 

Link to post
Share on other sites

You can find the IP address of any website by going to a command prompt and typing:

ping whateverwebsite.com

An example, ftx.soy is returning the same IP address which is reported at https://whatismyipaddress.com/ip/47.57.185.149 as coming from AliBaba.

image.png.d72e994a95c4cbeb1a9d8204e61dada1.png

In my opinion it seems clear that Malware Bytes should be blocking access to the IP

If I am missing something obvious then please explain.

 

 

 

Link to post
Share on other sites

  • Staff
12 hours ago, AOCDELL said:

Am I missing something here?

Look at the certificate.

Included in the SAN list is ftx.cool which is DEFINITELY a phishing site.

ftx.cool is a mirror image of the genuine site at ftx.com

 

11945876_screenshotofcertificateofftx_cool.JPG.599b7d86fa4ed35e85cb6173f4908d2c.JPG

 

 

Hi,

I was unable to reproduce what you displayed here regarding the certificate used. Did they change the certificate? I see this:

image.thumb.png.73fd0bc96c8c8ed38c169efa100f9014.png

 

Link to post
Share on other sites

Here are screenshots of the user login pages for each of ftx.digital ftx.cool ftx.blue ftx.page ftx.soy test.ftx.digital & the page for 47.57.185.149 

Group A: This group consists of ftx.blue, ftx.digital, & ftx.cool

Group B: This group consists of ftx.page, ftx.soy, & test.ftx.digital

Group A sites each inform the user to check whether they are visiting either ftx.com OR ftx.[insert suffix displayed in the address bar]

(images below)

482149126_ftx.coolasat7jan2022.JPG.a43695a02b5fdeb530195e9b9f72193d.JPG

ftx_blue.JPG.4e82a003bc9f71199b512e36fe22df6c.JPGftx.digital.JPG.272fff7cbd00aabc6574dd1d037210e2.JPG

 

Group B sites each inform the user to check whether they are visiting ftx.com ONLY. For group B sites, the domain name in the address bar does not match with that which is suggested to confirm against (ftx.com).

(images below)

 

ftx_soy.JPG.c9e35087d226488f196c5741057cd981.JPGftx_page.JPG.f8ff56af4bef90b9880af15667d67bd7.JPGtest_ftx.digital.JPG.0bb93a94ac1c02905e39a57a511bd2c3.JPG

 

Finally, for 47.57.185.149

 

47_57_185_149.JPG.1eb0c784b7ee3205df6ed17c7ba0e72b.JPG

 

So, from this observation alone it would appear that the Group A domains are 'real' FTX sites, and the Group B domains are not.

-----

NB: I received a message from ftx.com today declaring that ftx.cool is indeed a genuine FTX site, and is not a phishing site.

-----

OK. So what else?

How about the IP addresses for all of these sites?

I pinged them. The results can be found below.

Group A

image.png.c129e2b00e3fab29380f48ff2ee6ec15.pngimage.png.02faab52dfdde268ea7224d4b3f164d7.pngimage.png.0d33c46174463563b9348ba6db6c00dc.png

ftx.digital & ftx.cool share the IP 47.57.185.149 while ftx.blue returns a value of 8.210.131.114

 

Group B

image.png.13f2cd499886843ad775f97bb070323a.pngimage.png.9758a6820dac17ae6f6ec51594e47994.pngimage.png.1b3d20f7bb2657eb579d1e6bd4d039d0.png 

All Group B sites share the IP 47.57.185.149 (and it can be seen that when pinging test.ftx.digital - the command line drops the 'test' part of the command, leaving behind only ftx.digital)

 

For good measure I also pinged alibaba.com, ftx.com, & ftx.us by the same method.

image.png.43a701ca6c2195fc3b03d4e2c810678f.pngimage.png.e22a45ee131648548d7f5a95dc2fcf98.pngimage.png.0436068c02cf41f74bf402ee0a2d0670.png 

Each IP address in this final set of three sites can be seen to be unique to its own domain name.

 

Domains returning the IP address of 47.57.185.149, (which, to remind, when entered into Chrome as the digits, shows the following warning message) include the following domains:image.png.30010fd9b4b89571bb7915b587199c1b.png image.png.7db288efa7bab83d16ee622fae05ee91.png

 

ftx.digital, ftx.cool, ftx.page, ftx.soy, & test.ftx.digital, [these are all on this 47.57.185.149]

-----

Strange however is that both ftx.cool & ftx.digital are from Group A, (the group whose login screens give a choice of two 'genuine urls' to cross reference against the address bar.)

Based on this data alone, it is not possible to make a statement as to whether a 47.57.185.149 domain will offer one, or two, 'genuine urls' to cross reference against the address bar.

Similarly, it is not possible to state whether a domain which gives two 'genuine urls' at its login page to cross reference against the address bar will have the IP 47.57.185.149

 

One thing that IS known however is that all of ftx.digital ftx.cool ftx.blue ftx.page ftx.soy test.ftx.digital & 47.57.185.149 ARE seen within the same certificate today, Jan 7th 2022.

image.png.b079687363609fbd7d37edcfed60bf5b.pngimage.png.6a6954563d0ebde5be4971e6efb05ad0.pngimage.png.ffc6ee4c0fe2bf833b3536e4e18c1f13.pngimage.png.e968f0dd42dc0a58a13bba2659e21f76.pngimage.png.3c479909f6275986d1aa61757cbe364f.pngimage.png.1aac53d7fa8cd5e8ded1a4c620ea37ba.png

 

image.png.637fc6307f4e092d0a3001aea49c8331.png

 

What does it all actually mean? Does it mean nothing at all? Which (if any) of ftx.digital ftx.cool ftx.blue ftx.page ftx.soy test.ftx.digital & 47.57.185.149 are phishing sites?

NB: I received a message from ftx.com today via https://ftx.com/support/ declaring that ftx.cool is indeed a genuine FTX site, and is not a phishing site.

 

For future investigation perhaps:

image.png.5382a398abe0d043753be6a9bfb559b9.png 1. What are the implications (if any) of a certificate not complying with Chrome's transparency policy? What does this mean exactly?

2. Is offering the same service to users by multiple domain names a common practice in this industry? If yes, then no red flags here.

3. Which (if any) of the sites are fake/phishing? Difficult to test, since smaller accounts would likely not draw attention, and testing with larger accounts would be an expensive experiment! Possibly the sites at domains which do not match the name which the login screen reminds the user to cross reference against. So that would be ftx.soy, ftx.page, & test.digital.com. But that does not explain why ftx.digital & ftx.cool share the same IP as soy, page, & test.digital.

What a puzzle!

-----------------------------------------------------------------------------------------------------------

 

 

 

 

ftx.cool as at 7 jan 2022.JPG

image.png

image.png

image.png

screenshot of certificate of ftx.cool.JPG

Link to post
Share on other sites

23 hours ago, AOCDELL said:

Am I missing something here?

Look at the certificate.

Included in the SAN list is ftx.cool which is DEFINITELY a phishing site.

ftx.cool is a mirror image of the genuine site at ftx.com

 

11945876_screenshotofcertificateofftx_cool.JPG.599b7d86fa4ed35e85cb6173f4908d2c.JPG

 

 

*** I received a message from FTX support team - ftx.cool is NOT a phishing site  ***

*** no comment made about the other ftx.[other] domains ***

Link to post
Share on other sites

On 1/7/2022 at 2:45 AM, NeilPatel said:

What we are trying to do is not get the virus/warning message to show up as the sites are valid.

Who is "we"? Do you represent FTX Digital Markets LTD in an official capacity? If so, are you able and willing to make an official statement here as to which (if any) of ftx.digital ftx.cool ftx.blue ftx.page ftx.soy test.ftx.digital or 47.57.185.149 are in no way connected to FTX Digital Markets LTD Transparency is without doubt the best ally for any legal entity or individual that wishes to avoid any doubts as to their integrity

Link to post
Share on other sites

49 minutes ago, AOCDELL said:

Who is "we"? Do you represent FTX Digital Markets LTD in an official capacity? If so, are you able and willing to make an official statement here as to which (if any) of ftx.digital ftx.cool ftx.blue ftx.page ftx.soy test.ftx.digital or 47.57.185.149 are in no way connected to FTX Digital Markets LTD Transparency is without doubt the best ally for any legal entity or individual that wishes to avoid any doubts as to their integrity

Although that message could be interpreted as hostile in terms of its tone, it is not intended to. It will be a manifestation of the frustration felt after four weeks of relentless and as yet fruitless investigation into my own family's life-changing financial loss due to cyber crime.

Link to post
Share on other sites

17 hours ago, NeilPatel said:

I represent the company in an official capacity and work there. My email is neil.patel@ftx.com (which I created this account from).

My time resource allocation for investigating this ftx.digital ftx.cool ftx.blue ftx.page ftx.soy test.ftx.digital or 47.57.185.149 conundrum is now exhausted. I thought that it could be a lead worth following to help resolve case #283803 (FTX.com support ticket), but I'm now satisfied that the sites listed were not part of whatever string of events enabled "my" attacker to gain access to my FTX.com trading account.

There are only a limited number of ways to bypass google 2FA, which is what the hacker managed to do in my case. 

That hackers can manage to do this is extremely concerning.

Here is one method by which hackers can circumvent authenticator apps (stealing session cookies): 

 

It is good that FTX.com now offer authentication by YubiKey. This will prevent account wipe-outs for customers in the future.

Wish you best of luck in cleaning up your IP address/cloned sites dilemma.

James

 

 

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

Final post:

 

https://therecord.media/more-than-1200-phishing-toolkits-capable-of-intercepting-2fa-detected-in-the-wild/

 

This details the method(s) by which cybercriminals can bypass 2FA by stealing the session cookie from the website.

 

Seems that even Yubikeys cannot prevent these kinds of attack, since a session cookie would be present regardless of the login process.

 

-----------------------------------------

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.