No sooner had Facebook announced Libra cryptocurrency and the matching digital Calibra wallet that cybercriminals tried to get a head start on a new phishing theme.
Since the official news came out, cryptocurrency news sites have been busy explaining what Libra is and how it works, while fraudsters wasted no time registering domain names that impersonated the legitimate websites for both the coin and the Calibra wallet.
Around the date of the announcement, registration of domains referencing Libra increased manyfold: from about 20 and less a day before the news to over 110 on the day after, according to risk protection company Digital Shadows.
A similar situation was recorded for the Calibra wallet, slated for launch in 2020. There were barely new registrations the day prior to the announcement while the following day saw more than 65 registrations.
Not all of them are fraudulent, though, as many are part of cybersquatting attempts, where individuals rushed to purchase domains hoping that Facebook would offer to pay a better price at a later time.
This speculative activity works when the authority managing a TLD (top-level domain), such as .com, does not have regulations in place to deal with domains purchased in bad faith to profit from a trademark.
Some of the newly-registered domains, however, have a more nefarious purpose, to impersonate the legitimate Libra and Calibra websites or to promote scams that abuse these names.
Instead of using a suspicious-looking TLD, fraudsters resort to a homograph attack that combines makes use of the Punycode encoding system for creating domains that appear legitimate.
Digital Shadows found six domains that imitate the original Libra site, some of them being active and mimicking the real website almost to the dot.
calìbra[.]com (xn--calbra-yva[.]com) líbra[.]org (xn--lbra-vpa[.]org) calibra[.]ooo - active canlibrawallet[.]com - active libracoins[.]co[.]il - active libra-ico[.]org - active
“Crafty criminals can clone the entire website and change certain assets to suit their nefarious needs,” says Alex Guirakhoo of Digital Shadows. There are some differences that should ring the alarm.
For instance, even if visually it is a very good clone of the original Calibra website, the last domain on the list fails to provide a secure connection. This and other differences may pass unnoticed by users that rush into taking advantage of the current offer from the scammer:
The offer is obviously a scam that ends with the victim transferring Ethereum cryptocurrency to the fraudster’s address. Fortunately, not many people fell for this trick as the crook’s wallet had only 0.2ETH in it at the time of publishing this article.
Some fraudsters put in more effort than others to dupe victims; canlibrawallet[.], which is behind Cloudflare, has the same look as the official Libra.org, including a link to the legitimate whitepaper on the cryptocurrency and other URLs pointing to the official Libra website.
But there is also a login page where you can use Facebook or Google credentials to log in, or register with a an email address. Keep in mind that all you can do at the moment is to sign up for a newsletter that lets you know when Calibra is live.
Another type of scam is to offer virtual private servers (VPS) claiming that they have access to the Libra blockchain, although the cryptocurrency is not yet available.
On libra-vps[.]com, the cheapest offer starts at $200 thanks to a discount, for a Debian-based VPS and can go as high as $350 for a premium server with 4GB of RAM and 128GB of storage.
“With these VPSs you’ll have full access to the Libra protocol and all its functions. In only seconds you’ll be able to create a wallet, send/receive Libra coins and mint coins as well!” reads the promotion.