Cisco Umbrella

Enterprise network security

Security

Rise in Bitcoin leads to more Phishing attacks

Author avatar of Artsiom HolubArtsiom Holub
• 2 minute read
View blog >

Newly Discovered Bitcoin Phishing Campaigns

Analyzing the results of the OpenDNS Natural Language Processing(NLP) rank classifier, we have recently discovered new Bitcoin wallet companies that have made their way on to the list of phishing targets. We were able to identify phishing campaigns aimed at Kraken and Paxful users.

Screenshot - Phishing domain imitating paxful.com login page
Phishing domain imitating paxful.com login page
Screenshot - Phishing domain imitating kraken.com login page
Phishing domain imitating kraken.com login page

It was nice to see fraudulent domains taken down in a timely manner and additional security mechanisms being put into play. One such mechanism used on Paxful is a fidelity warning at the login screen:

Screenshot - fidelity warning at the login screen

Ongoing campaigns

Old campaigns against blockchain.info and localbitcoins.com are experimenting with different registrars, but aren’t going anywhere:

Screenshot - Suspended domains: https–blockchain[.]lol, blockchain–login[.]org
Suspended domains: https–blockchain[.]lol, blockchain–login[.]org
blockchain-wallet1[.]info:

Screenshot - This domain is still up and running but looks broken
This domain is still up and running but looks broken
Screenshot - Active phishing domain
Active phishing domain
Screenshot - Active phishing domain
Active phishing domain

The three most recently detected domains are still alive and look to be part of an active, currently ongoing campaign. We can also see that the amount of phishing attacks against bitcoin users keeps increasing. Leveraging the power of Investigate by pivoting around detected infrastructure, we found that it is not only used to host fraudulent Bitcoin domains, but a whole range of other nefarious ones as well.
However, the most successful domains in this new campaign are block-clain[.]info and blockchalna[.]info. Both domains were registered on February 21, 2017, and went live on February 24th, getting over 200k DNS queries in a couple of hours. This is an interesting fact, since it correlates with Bitcoin reaching another maximum and the disclosure of CloudBleed.

Details for blockchaIna.info
Details for block-chain.info

Traffic delivery scheme hasn’t changed: we continue to see compromised Adword Google accounts used to host ads, which redirect users to phishing domains.

Screenshot - Malicious Ads
Malicious Ads

Visualizing actor relations

In the visualization of the domains and associated email addresses from the campaign (image below), we outline shared hosting infrastructure by multiple actors. Red-colored domains are spoofed bitcoin wallets, while the rest is a mix of banking, adwords and tax fraud websites.

3D graph - Visualization of the phishing campaign
Visualization of the phishing campaign

We also see an increasing amount of phishing and other credentials harvesting attacks(RATs, InfoStealers), which result in an increase in account-checking activity. Since cybercrime services like Sentry MBA are widely available to criminals, their ease of use paired with a wide variety of available config files makes us confident that the number of actors engaging in such attacks will keep growing, particularly among lower-level actors.
This blog is a result of a collaboration between Artsiom Holub of Cisco Umbrella research team and Jeremiah O’Connor of Cisco country digitization team.

Related Indicators

A list of BTC_phishing_IOCs [PDF] applicable to this blog post can be found here:

Suggested Blogs