Bitcoin on the Rise
Bitcoin’s price broke the $775 barrier on Friday, trading briefly at a $778.70 high not seen since early February, 2014, thanks in part to a rule written into its original code that’s sparked increased trading before it goes into effect next month.
In the last month, the price of the digital currency has risen over 58 percent. Factors behind this jump include:
- Bitcoin supply is finite and constrained Bitcoin’s generation algorithm pre-determines the rate at which currency will be created, and limits its release to 21 million coins over the course of Bitcoin’s lifecycle. Each time a user discovers (“mines”) a new group of transactions (“block”), Bitcoins are generated (“rewarded”). The number of bitcoins rewarded per block decreases geometrically, with a 50% reduction every 210,000 blocks, or approximately four years, a process known as “halving”.
- Bitcoin’s next supply growth reduction will happen next month Upon its 2009 launch, miners were rewarded 50 Bitcoins (BTC) per block, which per the algorithm fell in 2012 to 25BTC per block. Now the reward is set to halve again sometime next month, dropping the reward per block to 12.5BTC .
- Anticipation of this supply drop is driving demand Ahead of Bitcoin production’s scheduled throttle, trading activity has experienced a sharp uptick and subsequent price rise. “We are seeing very high trading volumes,” notes Bobby Lee, chief executive of China-based BTCC, one of the world’s largest bitcoin exchanges.
- More people are using Bitcoin Because Bitcoin is the primary currency demanded of ransomware victims to restore data held hostage by bad actors, the 2016 ransomware epidemic has accelerated Bitcoin generation.
- More people want Bitcoin Ongoing worries about the Chinese economy and a potential further depreciation of the Yuan make Bitcoin an attractive alternative for Chinese businesspeople seeking assets that can have sustained purchasing power
Initial Bitcoin Phishing Detection
Traders, economists and bankers are not alone in taking note of the recent Bitcoin frenzy, however; criminals staging phishing campaigns — malicious actors who’ve traditionally not made a habit of cherry-picking amongst your exploitable assets — have discovered that Bitcoin can provide an easier way to steal.
Thus we were not to surprised when, on June 9, 2016, OpenDNS detected with our model NLPRank a new phishing attack on the domain blockchain-wallet[.]top targeting the cloud-based Bitcoin wallet company blockchain[.]info.
First signs of this new campaign were noticed by security researchers from Cyren at the beginning June, when a phishing campaign utilizing the domain blocklchain[.]info as its web address began to spread using Google AdWords.
Expanding Intelligence via Hosting IP Space, Name Server and Whois
When investigating the hosting IP more in depth, the additional domains below were discovered to be hosted on 22.214.171.124: blockchain spoofs, Pharma Spam and phishing domains are all over on this IP.
After checking the neighboring IPs on the 126.96.36.199/24 range, we discovered several more IPs hosting a mix of more-or-less legit content like puppy websites (http://www.astrahomepugs[.]com and http://tessymaltesehome[.]com), rogue content like fake merchandise (http://www.luxurybrandsmall.com/), iCloud phishing (idmas-appleid[.]eu), more Bitcoin phishing sites, offshore banks (http://www.anonymousoffshorebank[.]com/), porn sites and even child modeling sites (which are illegal and should be taken down). Given this shady content, we blocked the entire IP Range for our customers and as a reference, we provide the list of domains on the 188.8.131.52/24 range.
Revealing Rogue Offshore Hosting Providers
Were it not for the support of the same bulletproof or anonymous hosts in offshore jurisdictions who’ve historically provided infrastructure for bad actors, this current spate of Bitcoin wallet phishing would be without a launchpad.
ECATEL is a known Dutch hosting provider founded in 2005, registered in the UK, and headquartered in The Hague. It offers offshore hosting options and, over the last decade, has consistently hosted criminal and toxic content , and generated spam and DDoS traffic from its IP space . ECATEL is known to law enforcement, has been shut down by its peers at least once (in 2008) , and was subject in 2012 to DDoS attacks by Anonymous for hosting child porn .
In December of 2015, ECATEL changed their network name, and since then, AS29073 is officially called QUASINETWORKS . More interestingly, ECATEL/QUASINETWORKS changed its registration from the Netherlands to the Seychelles, which is an offshore jurisdiction. This is a common evasive practice used by bulletproof hosting providers that we’ve observed for several years and covered at Infosecurity Europe, Hack.lu, Brucon, and RSA.
Then in April of 2016, ECATEL rebranded yet again, and is now known as novogara.com. In fact, ECATEL is still selling the same products on 4 different live websites: ecatel.net, ecatel.co.uk, ecatel.info and novogara.com.
|Domain||Creation date:||Last seen live:|
|quasinetworks.com||24-Jun-2015||Live but no content|
|quasinetworks.net||24-jun-2015||Live but no content|
We further checked out the name servers of blolkchain[.]com, which are ns1.offshore-dns.net and ns2.offshore-dns.net: ns1.offshore-dns.net resolves to 184.108.40.206 and ns2.offshore-dns.net resolves to 220.127.116.11. Both 18.104.22.168 and 22.214.171.124 belong to the same AS29073, ECATEL/QUASINETWORKS.
By simply checking hosted domains on these two IPs and related domains via Whois registration, we uncover 3 anonymous offshore hosting companies using ECATEL/QUASINETWORKS IP space.
|Domain||Creation Date:||Hosting Since:|
|anonymoushosting.in||03-Jan-2010 (1st avail. date)||14-Apr-2006|
In fact, the 3 websites have very similar looks and themes, and offer identical server packages, which makes us believe they are all the same hosting company.
Anonymous offshore hosting is not malicious per se; it can be useful for customers who are scrupulous about their privacy, anonymity and censorship-evasion. Unfortunately, these hosting infrastructures are abused to harbor criminal and toxic content.
Whois Emails Used for More Bitcoin Phishing
With the rise of Bitcoin technology, more and more attackers will be attempting to spoof these online wallets in order to steal credentials. OpenDNS is at the forefront of detecting these types of new anomalies. By pivoting on the identified malicious domains and leveraging OpenDNS data, we were able to identify at least 6 emails used to register domains for blockchain spoof campaigns. Below is a selection of the emails in question, which have been and, as of this writing, are still being used to register more than 100 Bitcoin and blockchain phishing domains.
Investigating IP space, name servers and Whois indicators sheds light on how frequently criminal actors recycle their infrastructures and resources, and makes evident just how heavily they rely on bulletproof offshore hosting providers to deliver their malware and phishing campaigns.
As we can see, not only are Bitcoin wallets being targeted, but other services that accept Bitcoins become targets as well. Domain blokchain-wallet[.]info is impersonating the page of Nowell Associates Limited, a company specializing in tax returns and cloud accountancy that’s among the first accounting firms in England to accept Bitcoin and Litecoin as payment for accountancy, taxation, IT and data security services.
Here we can see attacker’s spoofing another bitcoin management company localbitcoin[.]com on that same IP address:
Bitcoin addresses are Base58Check-encoded, so they exclude potentially confusing characters such as 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols ‘+’ and ‘/,’”, which forces cybercriminals to come up with new schemas for typosquatting and phishing domains. From these examples, it’s clear the attackers have a solid understanding of protection mechanisms used by Bitcoin addresses and are trying to defeat them.
Very Recent Activity
Additionally, our model NLPRank detected a large amount of new phishing activity with high accuracy (FQDN, Probability Score, Timestamp) this past weekend hosted on 126.96.36.199:
3-blockchain[.]info 0.998737215996 2016-06-18 02:32:24.026000 4-blockchain[.]info 0.998737215996 2016-06-18 19:25:35.426000 1-blockchain[.]info 0.998737215996 2016-06-19 01:59:45.065000 login4-blockchain[.]info 0.998737215996 2016-06-19 03:54:05.436000 login6-blockchain[.]info 0.998737215996 2016-06-19 05:22:08.081000 blockchain-login3[.]info 0.998737215996 2016-06-19 06:29:40.079000 login7-blockchain[.]info 0.998737215996 2016-06-19 06:52:20.087000 6-blockchain[.]info 0.998737215996 2016-06-19 12:10:07.290000 blockchain-login5[.]info 0.998737215996 2016-06-19 18:25:57.410000 9-blockchain[.]info 0.998737215996 2016-06-19 19:39:11.263000 blockchain-login1[.]info 0.998737215996 2016-06-19 21:15:33.078000 blockchain-logins5[.]info 0.998737215996 2016-06-19 23:19:29.678000 login2-blockchain[.]info 0.998737215996 2016-06-20 03:19:42.173000 11-blockchain[.]info 0.998737215996 2016-06-20 03:28:59.602000 blockchain-logins2[.]info 0.998737215996 2016-06-20 03:53:41.885000 logins-blockchain[.]info 0.998737215996 2016-06-20 06:51:21.961000
One can see that there are also many other Bitcoin spoofing and sites on this IP, proof that attacking these online wallet’s for credentials is picking up steam, especially with the price of bitcoin going up recently. Furthermore, the range 188.8.131.52/24 is hosting more suspicious and toxic content such as fake merchandise and phishing, so we proactively blocked it.
Our findings show that this is a new campaign, since most of these domains were registered on May 26, 2016, with new domains surfacing in our logs almost every day. As cryptocurrency technologies gain momentum, so too will a new set of security problems, so it’s imperative these online wallet companies deploy proper security methods to protect against this new wave of targeted phishing and typosquatting attacks. We will keep monitoring our DNS traffic for phishing pages intended to steal online wallets’ credentials, and continue to share our results here in the blog.
Finally, rogue and bulletproof hosting providers continue to provide a safe haven for these malware and phishing campaigns. Our objective at OpenDNS is to track and predictively block malicious content via DNS traffic analysis and proactive monitoring of various indicators such as IP space, Whois, and SSL certs. We will discuss in detail recent developments around malware hosting and bulletproof infrastructures at Black Hat USA 2016 this coming August .