This is a follow up to the article on the Binance exchange API “hack” based on what we now know.
Binance was quick to stress their exchange was not hacked, but to be honest, you would expect that to be their first reaction, to prevent a meltdown. I use the term “hack” as a very general term for any nefarious computer activities, which on this occasion appears to be a very elaborate phishing scam.
Some accounts that were hacked were using two-factor authentication (2FA), so how could the scam circumvent this security? Maybe Binance was economical with the truth.
It appears that the fake Binance site that stole the login credentials also hacked the 2FA security. The fake site requested 2FA via the Google Authenticator, and then, during the 60-second timeout for this security feature, it surreptitiously logged into the real Binance site and activated API control on the affected account.
Am I blaming Google for problems with their Authenticator? No, I recommend everyone should use 2FA, as there is no evidence that the initial seed used by the Google’s Authenticator is in any way compromised. As shown in this hack, just because you are being asked to verify your account with 2FA it doesn’t mean you are being asked by a legitimate website. So be sure to use bookmarks for all your crypto sites and then check for the valid SSL certificate in the browser.
The hack then presumably lies with a human error by clicking a phishing URL in a Twitter feed, Telegram Channel or spam email, right? Wrong. From the evidence produced by Binance, the fake URL was obtained from a Google search on the Google.be (Belgium) domain.
Ignore the items marked in red, as they were added by Binance, and instead concentrate on the two items I have highlighted in yellow. This Binance account holder appears to have been hacked, courtesy of Google. The image above is very poor quality, but the search term was “binance” and the account holder selected a link to www.bịnạnce.com rather than www.binance.com.
If you don’t have 20:20 vision or your computer screen is not entirely clean, then the two URL’s might look the same, but there is a subtle difference. The fake one is using Unicode to add a tiny dot beneath the i and a in the word Binance.
It’s impossible to know what the account holder saw when he brought up the Binance search, but the probability is that it was either a Google paid advertisement or a site towards the top of their rankings since few people go beyond page one on Google. My guess is that it was probably the former, but either way, I think this is terrible form from Google.
ICOs might not be happy with Facebook’s recent decision to drop them from paid advertisements, but it was done to protect us from scam ICOs. Google, on the other hand, are presenting us with phishing URLs when we search for important crypto terms like Binance. I don’t remember how I first found out about Binance, but for many of us, the first port of call would be a Google search. I don’t know about you, but I could certainly have been duped by the scam that Google helped perpetrate.
Surely Google should be vetting adverts and ensuring their algorithms don’t rank a scam site like the one that was responsible for the Binance exchange hack. If you use Google’s Chrome browser you can check if you were taken in by this fake site by copying and pasting the following URL into the address bar:
This will search your browsing history for the fake site with the Unicode dots, and with a bit of luck, this is what you will see.
You should be able to make a similar check in other browsers by bringing up your history and pasting in this URL in the search box.
For more information about scams or to just join in with the liveliest community in Crypto, head on over to our Telegram channel.
Financial analyst, smartphone app designer, technical writer, and crypto enthusiast. Blockchain verified graduate of MOOC 9, DFIN-511: Introduction to Digital Currencies, run by the University of Nicosia.