Bitcoin on the Rise

Bitcoin’s price broke the $775 barrier on Friday, trading briefly at a $778.70 high not seen since early February, 2014, thanks in part to a rule written into its original code that’s sparked increased trading before it goes into effect next month.

In the last month, the price of the digital currency has risen over 58 percent. Factors behind this jump include:

  • Bitcoin supply is finite and constrained  Bitcoin’s generation algorithm pre-determines the rate at which currency will be created, and limits its release to 21 million coins over the course of Bitcoin’s lifecycle. Each time a user discovers (“mines”) a new group of transactions (“block”), Bitcoins are generated (“rewarded”). The number of bitcoins rewarded per block decreases geometrically, with a 50% reduction every 210,000 blocks, or approximately four years, a process known as “halving”.
  • Bitcoin’s next supply growth reduction will happen next month   Upon its 2009 launch, miners were rewarded 50 Bitcoins (BTC) per block, which per the algorithm fell in 2012 to 25BTC per block. Now the reward is set to halve again sometime next month, dropping the reward per block to 12.5BTC .
  • Anticipation of this supply drop is driving demand  Ahead of Bitcoin production’s scheduled throttle, trading activity has experienced a sharp uptick and subsequent price rise. “We are seeing very high trading volumes,” notes Bobby Lee, chief executive of China-based BTCC, one of the world’s largest bitcoin exchanges.
  • More people are using Bitcoin   Because Bitcoin is the primary currency demanded of ransomware victims to restore data held hostage by bad actors, the 2016 ransomware epidemic has accelerated Bitcoin generation.
  • More people want Bitcoin   Ongoing worries about the Chinese economy and a potential further depreciation of the Yuan make Bitcoin an attractive alternative for Chinese businesspeople seeking assets that can have sustained purchasing power

Initial Bitcoin Phishing Detection

Traders, economists and bankers are not alone in taking note of the recent Bitcoin frenzy, however; criminals staging phishing campaigns — malicious actors who’ve traditionally not made a habit of cherry-picking amongst your exploitable assets — have discovered that Bitcoin can provide an easier way to steal.

Thus we were not to surprised when, on June 9, 2016, OpenDNS detected with our model NLPRank a new phishing attack on the domain blockchain-wallet[.]top targeting the cloud-based Bitcoin wallet company blockchain[.]info.

Blockchaininfo

First signs of this new campaign were noticed by security researchers from Cyren at the beginning June, when a phishing campaign utilizing the domain blocklchain[.]info as its web address began to spread using Google AdWords.

Ad for blockchain
Then, on June 13, 2016, OpenDNS Labs detected blolkchain[.]com which was another phish on the same IP 89.248.171.88.

Blockchaini

Expanding Intelligence via Hosting IP Space, Name Server and Whois

When investigating the hosting IP more in depth, the additional domains below were discovered to be hosted on 89.248.171.88: blockchain spoofs, Pharma Spam and phishing domains are all over on this IP.

domains

IP Range

After checking the neighboring IPs on the 89.248.171.0/24 range, we discovered several more IPs hosting a mix of more-or-less legit content like puppy websites (http://www.astrahomepugs[.]com and http://tessymaltesehome[.]com), rogue content like fake merchandise (http://www.luxurybrandsmall.com/), iCloud phishing (idmas-appleid[.]eu), more Bitcoin phishing sites, offshore banks (http://www.anonymousoffshorebank[.]com/), porn sites and even child modeling sites (which are illegal and should be taken down). Given this shady content, we blocked the entire IP Range for our customers and as a reference, we provide the list of domains on the 89.248.171.0/24 range.

Revealing Rogue Offshore Hosting Providers

Were it not for the support of the same bulletproof or anonymous hosts in offshore jurisdictions who’ve historically provided infrastructure for bad actors, this current spate of Bitcoin wallet phishing would be without a launchpad.

Case in point: 89.248.171.88 is hosted on AS29073, QUASINETWORKS, which actually used to be ECATEL [1][2][3].

ecatel_info

ECATEL is a known Dutch hosting provider founded in 2005, registered in the UK, and headquartered in The Hague. It offers offshore hosting options and, over the last decade, has consistently hosted criminal and toxic content [4][5], and generated spam and DDoS traffic from its IP space [6]. ECATEL is known to law enforcement, has been shut down by its peers at least once (in 2008) [7], and was subject in 2012 to DDoS attacks by Anonymous for hosting child porn [8].

In December of 2015, ECATEL changed their network name [9], and since then, AS29073 is officially called QUASINETWORKS [10][11]. More interestingly, ECATEL/QUASINETWORKS changed its registration from the Netherlands to the Seychelles, which is an offshore jurisdiction. This is a common evasive practice used by bulletproof hosting providers that we’ve observed for several years and covered at Infosecurity Europe, Hack.lu, Brucon, and RSA.

ecatel_whois_highlightOriginal registration details of ECATEL. Notice the The Hague, Netherlands address.

quasinetworks_whois_highlightUpdated details of QUASINETWORKS. Notice the Seychelles address.

Then in April of 2016, ECATEL rebranded yet again, and is now known as novogara.com. In fact, ECATEL is still selling the same products on 4 different live websites: ecatel.net, ecatel.co.uk, ecatel.info and novogara.com.

novogara

Domain Creation date: Last seen live:
ecatel.net 16-May-2004 Currently live
ecatel.nl 04-July-2005 17-Dec-2014
ecatel.co.uk 18-Jun-2008 Currently live
ecatel.org 18-Jun-2008 17-Dec-2014
ecatel.info 16-Oct-2010 Currently live
novogara.com 15-Apr-2015 Currently live
quasinetworks.com 24-Jun-2015 Live but no content
quasinetworks.net 24-jun-2015 Live but no content

 

We further checked out the name servers of blolkchain[.]com, which are ns1.offshore-dns.net and ns2.offshore-dns.net: ns1.offshore-dns.net resolves to 80.82.70.10 and ns2.offshore-dns.net resolves to 93.174.91.42. Both 80.82.70.10 and 93.174.91.42 belong to the same AS29073, ECATEL/QUASINETWORKS.

By simply checking hosted domains on these two IPs and related domains via Whois registration, we uncover 3 anonymous offshore hosting companies using ECATEL/QUASINETWORKS IP space.

Domain Creation Date: Hosting Since:
anonymoushosting.in 03-Jan-2010 (1st avail. date) 14-Apr-2006
vindohosting.com 11-Aug-2009 16-Aug-2009
goip.com 26-Jan-2002 15-Jan-2012

 

In fact, the 3 websites have very similar looks and themes, and offer identical server packages, which makes us believe they are all the same hosting company.

anonymous_in

Anonymous offshore hosting is not malicious per se; it can be useful for customers who are scrupulous about their privacy, anonymity and censorship-evasion. Unfortunately, these hosting infrastructures are abused to harbor criminal and toxic content.

Whois Emails Used for More Bitcoin Phishing

With the rise of Bitcoin technology, more and more attackers will be attempting to spoof these online wallets in order to steal credentials. OpenDNS is at the forefront of detecting these types of new anomalies. By pivoting on the identified malicious domains and leveraging OpenDNS data, we were able to identify at least 6 emails used to register domains for blockchain spoof campaigns. Below is a selection of the emails in question, which have been and, as of this writing, are still being used to register more than 100 Bitcoin and blockchain phishing domains.

mopadrehop@thraml.com
stopracuho@thraml.com
tidrorosti@thraml.com
boatbits@yandex.com
isellbtc@yandex.com
isellbtc1234567@gmail.com

 

Investigating IP space, name servers and Whois indicators sheds light on how frequently criminal actors recycle their infrastructures and resources, and makes evident just how heavily they rely on bulletproof offshore hosting providers to deliver their malware and phishing campaigns.

Actor1 Actor2 Actor3

As we can see, not only are Bitcoin wallets being targeted, but other services that accept Bitcoins become targets as well. Domain blokchain-wallet[.]info is impersonating the page of Nowell Associates Limited, a company specializing in tax returns and cloud accountancy that’s among the first accounting firms in England to accept Bitcoin and Litecoin as payment for accountancy, taxation, IT and data security services.

Screen Shot 2016-06-15 at 1.05.43 PM

 

Here we can see attacker’s spoofing another bitcoin management company localbitcoin[.]com on that same IP address:

Screen Shot 2016-06-15 at 10.09.54 PM

Screen Shot 2016-06-15 at 10.39.36 PM

Bitcoin addresses are Base58Check-encoded, so they exclude potentially confusing characters such as 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols ‘+’ and ‘/,’”, which forces cybercriminals to come up with new schemas for typosquatting and phishing domains. From these examples, it’s clear the attackers have a solid understanding of protection mechanisms used by Bitcoin addresses and are trying to defeat them.

Very Recent Activity

Additionally, our model NLPRank detected a large amount of new phishing activity with high accuracy (FQDN, Probability Score, Timestamp) this past weekend hosted on 91.218.247.37:

3-blockchain[.]info
0.998737215996
2016-06-18 02:32:24.026000

4-blockchain[.]info
0.998737215996
2016-06-18 19:25:35.426000

1-blockchain[.]info
0.998737215996
2016-06-19 01:59:45.065000

login4-blockchain[.]info
0.998737215996
2016-06-19 03:54:05.436000

login6-blockchain[.]info
0.998737215996
2016-06-19 05:22:08.081000

blockchain-login3[.]info
0.998737215996
2016-06-19 06:29:40.079000

login7-blockchain[.]info
0.998737215996
2016-06-19 06:52:20.087000

6-blockchain[.]info
0.998737215996
2016-06-19 12:10:07.290000

blockchain-login5[.]info
0.998737215996
2016-06-19 18:25:57.410000

9-blockchain[.]info
0.998737215996
2016-06-19 19:39:11.263000

blockchain-login1[.]info
0.998737215996
2016-06-19 21:15:33.078000

blockchain-logins5[.]info
0.998737215996
2016-06-19 23:19:29.678000

login2-blockchain[.]info
0.998737215996
2016-06-20 03:19:42.173000

11-blockchain[.]info
0.998737215996
2016-06-20 03:28:59.602000

blockchain-logins2[.]info
0.998737215996
2016-06-20 03:53:41.885000

logins-blockchain[.]info
0.998737215996
2016-06-20 06:51:21.961000

Screen Shot 2016-06-20 at 10.46.47 AM

One can see that there are also many other Bitcoin spoofing and sites on this IP, proof that attacking these online wallet’s for credentials is picking up steam, especially with the price of bitcoin going up recently. Furthermore, the range 91.218.247.0/24 is hosting more suspicious and toxic content such as fake merchandise and phishing, so we proactively blocked it.

Takeaways

Our findings show that this is a new campaign, since most of these domains were registered on May 26, 2016, with new domains surfacing in our logs almost every day. As cryptocurrency technologies gain momentum, so too will a new set of security problems, so it’s imperative these online wallet companies deploy proper security methods to protect against this new wave of targeted phishing and typosquatting attacks. We will keep monitoring our DNS traffic for phishing pages intended to steal online wallets’ credentials, and continue to share our results here in the blog.

Finally, rogue and bulletproof hosting providers continue to provide a safe haven for these malware and phishing campaigns. Our objective at OpenDNS is to track and predictively block malicious content via DNS traffic analysis and proactive monitoring of various indicators such as IP space, Whois, and SSL certs. We will discuss in detail recent developments around malware hosting and bulletproof infrastructures at Black Hat USA 2016 this coming August [12][13].

References

[1] http://ipduh.com/pdb/as/?29073

[2] https://what.thedailywtf.com/topic/16543/abuse-hah-we-don-t-care-what-our-customers-get-up-to

[3] https://www.mywot.com/en/scorecard/ecatel.net

[4] http://hphosts.blogspot.com/2009/11/crimeware-friendly-isps-ecatel-as29073.html

[5] http://hphosts.blogspot.com/2010/04/as29073-ecatel-need-more-proof-of-their.html

[6] http://dnsamplificationattacks.blogspot.com/2013/06/ecatel-big-source-of-directedatasia.html

[7] http://www.sudosecure.com/ecatels-harboring-of-spambots-and-malware-causes-bgp-peers-to-stop-peering-with-them/

[8] http://anonymousnetherlandsnews.blogspot.com/2012/08/anonymous-attacked-dutch-hosting.html

[9] https://ejanic.com/ecatel-is-rebranding-to-quasi-networks/

[10] http://bgp.he.net/AS29073

[11] http://bgpranking.circl.lu/asn_details?date=;source=;asn=29073

[12] https://labs.opendns.com/2016/05/16/black-hat-2016-fast-flux-ssl-unique-popular-bulletproof-hosting-option-cyber-criminals/

[13] https://www.blackhat.com/us-16/briefings.html#towards-a-holistic-approach-in-building-intelligence-to-fight-crimeware

 

 

This post is categorized in: