Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favorJune 27, 2019
The announcements of Facebook’s new cryptocurrency “Libra” and its associated digital wallet “Calibra” have conjured up discussion, debate, criticism, and praise from all corners of the Internet. Companies constantly launch new products and add brands to their portfolio, but it’s not every day that one of the world’s largest tech companies decides to establish its own digital currency, let alone with the support of several other big players like Mastercard, Visa, and Uber.
Since Facebook’s announcement on June 18, there has been a gold rush, with people scrambling to register a myriad of domain permutations that infringe on the new trademarks. These have ranged from seemingly innocuous websites to those which appear slightly more sinister. With Digital Shadows’ Shadow Search, we can pull up a chart which shows the number of domains with references to either “Libra” or “Calibra” registered in the days on and around the 18th.
Figure 1: Shadow Search results over time for domains registered with “Libra” or “Calibra”
The vast majority of these are fairly boring- currently parked and not hosting content. Some domain squatters aim to jump on a domain name with the hope of making a profit when the company looks to buy it back from them. It’s become common practice for a lot of businesses to preemptively buy up all the relevant domains, so they don’t fall into the wrong hands, particularly TLDs which can cause reputational damage or send the wrong message.
Even if the company doesn’t plan on using them to host content, they can be set up to redirect to the legitimate page, preventing visitors from stumbling across an empty site by accident. Researchers or tech-savvy users have traditionally relied on WHOIS registration records to compare the legitimate domain records to a potential typosquat. However, unless a company makes their registration data public, with the advent of the EU’s GDPR, masked WHOIS data has become largely unhelpful. This can make it more difficult for customers and consumers to check if a domain is legitimate or not and can sometimes even be advantageous to those with more nefarious intentions.
Of all the domains set up since the 18th, those that are hosting malicious content can broadly be split into two categories:
- Websites actively impersonating the legitimate Libra or Calibra website
- Websites promoting scams that abuse the Libra or Calibra name
Classic domain impersonation
Brand misuse in the form of domain impersonation is an issue that plagues companies large and small. Unsurprisingly, there have already been several domains that have been set up to be exact copies of Facebook’s official Libra and Calibra websites. Instead of relying on media buzz and hype around the brand, these types of scams instead aim to convince victims that they are on a legitimate website, and therefore more likely to trust it with their personal and financial data.
As a result, criminals can’t just rely on domain names that are obviously fake: Why would the official Libra website use a .fish or .style TLD? This is where punycode comes in. An increasingly common tactic is for criminals to register domains using characters from Greek, Cyrillic, and other alphabets which resemble letters in the Roman alphabet, also called a homograph attack. These can appear near-identical to unsuspecting users, and can be difficult to spot on smaller devices such as mobile phones. Examples could include substituting a lowercase A with the Cyrillic character “а”, or using the Turkish dotless I “ı” in place of a lowercase L.
Digital Shadows has identified at least six examples of domains either directly copying the Libra and Calibra websites or using the brand imagery for potentially malicious purposes:
- calìbra[.]com (xn--calbra-yva[.]com)
- líbra[.]org (xn--lbra-vpa[.]org)
Crafty criminals can clone the entire website and change certain assets to suit their nefarious needs. In the examples above, note the change of text from “Get Started” on the real website to “Sale Libra” on the fake one. For the most convincing of sites, it can be nigh-impossible to determine which is legitimate and which is fake. Unfortunately for our scammer friends in this case, some of the page formatting was off, making it easier to recognize it as fraud.
Clicking the sale button directs you to a page that claims to exchange their Ether (the cryptocurrency for the Ethereum blockchain) for the equivalent amount in Libra, with a 25% bonus. What a deal!
Figure 2: “Sale Libra” page on libra-ico[.]org
The Ethereum address listed as the contribution address (the wallet controlled by this scammer) had already collected 0.2 Ether ($58.24 at the time of writing). Not a ground-breaking amount by any means, but it’s something!
Funnily enough, since starting work on this blog, content on several domains we identified has since been removed, with the owner of the calìbra[.]com (xn--calbra-yva[.]com) website leaving an almost-sincere message to those they defrauded:
Frequenters of the Internet will be no stranger to the vast number of cryptocurrency scams that have been circulating the web over the past few years (see Elon Musk’s Twitter). These have become wildly popular since the cryptocurrency boom in late 2017 and have since taken many forms, from social media posts asking for initial payment into a criminal’s wallet, to more technically complex schemes which use botnets to mine cryptocurrency with the power of unsuspecting victims’ computers (see Digital Shadow’s research on the Bitcoin gold rush)
It comes as no surprise that cybercriminals have leveraged the vast media attention received by Facebook to propagate new schemes with Libra – even though the currency is not even set to launch until 2020.
One website, libra-vps[.]com claims to have set up Debian-based Virtual Private Servers (VPS) with access to the Libra blockchain. These are available to purchase starting at $200, and purportedly allow anyone to create a wallet, send/receive Libra, and even mint coins (remember when I mentioned the cryptocurrency hasn’t even officially launched yet?).
The site even has a step-by-step guide on how to use their service, which includes accessing a Remote Desktop Connection (RDC) program and entering in a username, password, and IP address. If your internal alarm bells haven’t gone off yet, they should be at this point.
If the goal of this website isn’t just to scam people out of $200, going so far as to open your ports to an unknown source means you’re probably going to have a bad time. An attacker could leverage this connection to install all imaginable types of malware, harvest credentials and sensitive information, and more. If the ability to mint as much of a cryptocurrency that doesn’t yet exist sounds too good to be true or even implausible, then it probably is. So, caveat emptor.
If there’s one thing that will remain constant, it’s that scammers, uh, find a way. There will undoubtedly be dozens more domains created between this blog’s publishing and the time it takes you, my dear reader, to reach its conclusion.
Though not every company is as large as the behemoth that is Facebook, the gold rush that arose following the announcement of their cryptocurrency can serve as a useful example to other organizations and consumers alike, with several lessons learned:
- Be vigilant on your online travels and trust your gut instinct. Have a watchful eye for misspellings in domain names, strange TLDs, redirects, and peculiar characters.
- Be aware of the current limitations of WHOIS data. Since GDPR, WHOIS data cannot, in many cases, be used to reliably gauge the legitimacy of a website, beware of domains created with different registrars than usually used by a company.
- Be stingy with your personal and financial data. Always make sure you’re on the website you intend to be on before handing over your personal details, if something seems broken or off, then it very well may be a fake.
- If it seems implausible or too good to be true, then it probably is. Scammers will constantly try to find ways to outsmart their victims- stay ahead of the game and avoid grandiose claims of fortune.
 By this I mean characters as in letters and symbols, but you should generally be wary of other types of peculiar characters as well, like gnomes, or strangers in trenchcoats
To keep up with more research like this, make sure to subscribe to our email list below for updates.