Over the past year as cryptocurrency has steadily increased well past $800, OpenDNS Labs has been diligently tracking Bitcoin wallet phishing campaigns. With this most recent uptick in price we have observed a recent rise during this holiday season in phishing domains to steal access to online wallets. This latest spike was very similar to the the wave of phishing we observed this past summer when Bitcoin price had a sharp increase. Although most of the phishing sites we detect are specifically setup for phishing purposes we are also seeing an increase in the compromise of legitimate sites in which they are modified to host Bitcoin wallet phishing along with other phishing content. In this post we will discuss our latest findings in phishing content over these past couple months and also some of the new trends we have been observing in our DNS traffic.
One of the most interesting trends we have been observing as of late is adversaries targeting Gmail accounts in order to gain access to Google Adwords and improve SEO thereby percolating these Blockchain.info phishes to the top of search results. Here are a few examples of WHOIS registrants we have detected which display this type of behavior:
Our new IP and Registrant classification system that we have developed to pivot on results from our phishing classifier using Investigate data has proven well to detect these bulletproof phishing infrastructures targeting Blockchain wallets. With this we are also able to block these infrastructures before new phishing sites are created and hosted on them.
Here’s an example of a compromised site exhibiting domain shadowing features hosting Blockchain.info phishing:
Compromised sites hosting Bitcoin wallet phishes are something we don’t normally see in the wild. It is more often the case that we see dedicated Bitcoin wallet phishing sites. This is an indicator that this is online wallet phishing is definitely here to stay.
Here is the 2ld of that domain dheekshapromoters.com, which serves as an index page for many other phishing sites:
Here is a list of a bunch of domains created by firstname.lastname@example.org spoofing Blockchain.info in November around the holidays as shopping season starts:
Domain, WHOIS Creation Date
Figure 11 shows a visualization of one of the registrants with OpenGraphiti:
The fact that our algorithms are detecting phishing campaigns as soon as they go live, and in some cases before they are even created/registered, is essential to providing the best protection for our users. However, it wouldn’t be possible to build those algorithms without a deep understanding of the initial cases that produced such campaigns. Our hypothesis’ are based on analysis of the next graphs, which include Google interest of the keyword “buy bitcoins” from Google, changes of the Bitcoin prices from Blockchain, ransomware infections and detected phishing attacks on the Bitcoin wallets from OpenDNS.
As we can see from the graphs in Figure 12, there is a strong correlation between popularity, Bitcoin price and Bitcoin phishing attacks. We also can observe that ransomware infections do not really correlate with Bitcoin price while most phishing campaigns against Bitcoin wallets actually do, meaning the more expensive Bitcoin will become the more attacks we will see.
Peaks of ransomware infections are highly dependent on delivery methods and not necessarily Bitcoin’s popularity. Ransomware is, after all, some criminal’s stable malicious business. In Figure 11 we can see that peak of the infections correlates with the appearance of the Locky in November (when it also switched to mainly being delivered via phishing), while the least amount of infections was detected in June, when the Angler Exploit Kit disappeared. So we can hypothesize that even when phishing and ransomware campaigns share same infrastructure, they have different organizations behind them, which work independently. Also that explains the fact that injecting malicious Adword ads is the main delivery method of such phishing campaigns.
Let’s try to reproduce actions of an average PC user in case of ransomware infection:
Edward visits some website, his browser gets exploited via malicious ad, and 2 minutes later he sees this type of message on his screen (depends on ransomware family):
So when Edward follows the URL he gets instructions to buy bitcoins with the list of places where he can do this. But just how much should he trust someone who just encrypted all of his data in exchange for ransom? That would be the perfect place for malicious actor to not only extort the ransom money, but also the user’s credentials. However, we haven’t seen any of phishing domains listed there from observed ransomware samples. So, if Edward searches on Google to find out how to buy bitcoins, only then does forged Adword accounts come in play. Edward gets served the phishing domain from Adwords, enters his credentials, buys bitcoins and pays the ransom. Everything seems fine but by now not only he lost money due to the ransom, but most of his personal information is compromised. Stolen credentials are a lot cheaper than most ransom, so ransomware authors would not try to steal credentials, but rather get paid.
It looks like these cryptocurrency technologies will continue to gain momentum into 2017, and with that so will criminal activity. OpenDNS Labs will continue to monitor these trends in our DNS traffic for phishing pages intended to steal online wallets’ credentials, and continue to share our results.