Imitation is said to be the best form of flattery… For us at Kambria, we learned that’s not always the case!
Last week we were alerted to the presence of a website that looked almost identical to ours (https://kambria.io), the difference being that the information on the site listed fake ICO related details that asked people to email a private address and later send ETH to a fake wallet. We then discovered that the scammers had also copied our Facebook, Twitter, LinkedIn, Medium, Telegram, AngelList, BitcoinTalk and Github channels!
Needless to say, we swung into immediate action, but shutting the phishing attacks became more like a game of whack-a-mole. Shutting down the phishers’ website only resulted in them popping up again a few days later. They used and altered our photos to match their site, and even went as far as “warning” users of fake sites! We made the effort to direct people to our official LinkedIn profiles to prove our legitimacy, after which we’d find that the phishers would copy our LinkedIn profiles as well.
While we were able to shut down the phishers for the most part, the last few days taught us some valuable lessons — some which seem obvious now and some which we had to learn quickly to thwart the elaborately coordinated attack. These are some of the things that worked for us, and hope our learnings help others in a similar situation!
1. Website Phishing attack
a. Cloudflare: reverse proxy and pass-through service provider
- We reported the phishing attack to Cloudflare where they turned off redirect to the fake site address. Cloudflare also forwarded the phishing report to the hosting provider, TeraSwitch.
- Once reported to Teraswitch, they turned off the fake site’s hosted address within a few hours
b. Namecheap: domain name service provider
- This is the part that created the most trouble for us as the phishers purchased their domain using our CEO’s name our office address, giving it the image of legitimacy
- We emailed the namecheap abuse support team where they are supposed to resolve the issue within 48 hours, but did not do so after repeated requests
- We then escalated the issue via live chat where the issue was attended to immediately
- We also tweeted to namecheap and posted on their facebook and medium channels which helped highlight the seriousness of the issue
- It is extremely important to turn off the phishing site access via the DNS provider of they can just move to another hosting provider. This is exactly what happened in our case where TeraSwitch turned them off very quickly but the scammers came back online via another provider the following day
- Lesson learned is don’t skip on registering domain names that are similar to or extensions of your domain name. If we had secured all the kambria* domains, this attack would not have been easy to pull off. Domain name registration is extremely important!
c. Website updates
- Posted an alert message on the official Kambria website informing people of the phishing attack, and asking them not to send any money/ETH to private email ids or fake wallets
- Quickly put together a video with the founders with details on the phishing attack
- Worked with metacert to whitelist kambria.io and blacklist the fraudulent sites
- Worked with a company called metacert which whitelists verified sites focused on ICOs. We also reported the fraudulent sites where users who have the metacert button installed would see a warning message when they visit a phishing site, and a green shield for the legit/verified sites.
- Deactivated the fake account by flagging it to the Twitter support team. We had several of our team and community members do this as well
- Pinned the message about the phishing attack on our official Twitter page
- Worked with metacert to whitelist our twitter account and blacklist the fraudulent account
- Posted on the fake Facebook page about it being a fraudulent page. We were unable to shut the fake Facebook page down as the Facebook support team has been pretty unresponsive on this issue
- Pinned the message about the phishing attack on our official Facebook page
- Posted on the fake Medium page about it being a fraudulent account
- Posted this blog you are reading on the official Kambria Medium channel
5. Telegram channel
- Worked closely with our amazing community to keep them informed of the phishing attack and the fake telegram channel
- Pinned the message about the phishing attack on our official Telegram channel
- Kambria team members joined the fake telegram channel and posted that this is a fraudulent chat group and asked people not to send any ETH or $$s. We got kicked out of the fake telegram channel but rejoined using our personal email ids to warn people against sending money to fake wallets
- Asked our community to do the same and report the phishing incident to help protect unsuspecting members
- Flagged the fake account as fraudulent, and had several of our team members do this as well
- Posted on Kambria’s as well and our personal bitcointalk threads about the phishing attack
- Posted on the Kambria founders’ LinkedIn profiles that our accounts have been phished, and asked people to not send any ETH or $$s to a wallet claiming to be associated with us
8. Github account
- The phishers created a fake github account which was empty. We immediately flagged the fraudulent account on github
- The lesson we learned from this is to secure all web assets before making any announcements
9. ICO lists and registries
- The phishers listed our platform on several ICO registries/listing sites. We flagged the fake listing to these sites, where we had success with a few but not all. We are looking at how we can manage our brand from being misused on these sites, and will update when we have more success with this issue
10. Security experts
- We are now working with security experts in the crypto and ICO space to better understand how we can protect ourselves from this happening again — especially when the stakes are even higher. That will have to wait for another blog post 🙂
The big learning for us across all our social channels was that we had different extensions for different channels like @Kambria and @KambriaNetwork. The reason for this was that the @Kambria extension was unavailable for channels like Facebook & Twitter, however this was a vulnerability the phishing attackers leveraged. Another reason we cannot stress enough the importance of registering <yourcompany>* domains at the beginning of your company’s formation. Another thing we missed doing was to watermark all of our photos and videos. This enabled the phishers to easily copy all our media assets across their fake channels.
We are incredibly grateful however for the incredible support from our community. You helped us shut down the phishers quickly, and we cannot thank you enough for your support and faith in us!
We hope you found this post useful and if you have had a similar experience, do let us know how you dealt with it. Also, if you see any more fake versions of the Kambria website or social channels, or just want to say hello, please drop us a line at email@example.com