• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Bitcoin Phishing: The Next Wave

Author avatar of Artsiom HolubArtsiom Holub
Updated — July 24, 2020 • 5 minute read
View blog >

Bitcoin Phishing Not Losing Momentum

In June, we examined a new wave of Bitcoin wallet phishing against a backdrop of pre-Brexit anxiety and Bitcoin’s price skyrocketing past $775. A lot has happened since then: the UK voted to leave the EU, some big Bitcoin wallets were hacked, and the price of Bitcoin plunged (though is now rebounding). Throughout it all, attackers have consistently tried to phish users to gain access to Bitcoin wallets.
This blog outlines a detailed investigation into this new phishing trend which began with reports of a phishing campaign targeting Bitfinex customers after the company was breached. At that same time, our ML-based model, NLPRank, picked up this phishing campaign after we enhanced it to detect Bitcoin wallet phishes. After factoring in the delivery mechanisms of the campaign we covered in the previous blog, we also expanded our search to Adwords.
Expanding technical intelligence from Bitcoin phishing detection through hosting IPs, registrant emails, SSL certs, and OSINT hunting, we show how we cast a wider net on a variety of active cybercrime content: mainly phishing against other brands and credit card dump shops.

Investigation main steps

  1. On August 2nd, Bitfinex suffered a breach that caused them $70 million in losses. Because we know malicious actors traditionally seek to exploit such events and therefore fine-tune our antennae in their wake, we picked up a phishing campaign around August 5th in which presumed Bitfinex customers received emails inviting them to update their credentials. The URL in the emails was, however, a phishing page against Bitfinex: ibitfinex[.]com. We observed a spike of DNS traffic to ibitfinex[.]com on August 5th.
  2. ibitfinex[.]com is hosted on 188.40.248.80. This IP is hosting other phishing and various toxic content as well as bitmixer-io[.]com, a phishing domain against bitmixer.io which is a legit bitcoin mixing website (we won’t argue whether Bitcoin mixing itself is legit or not). 188.40.248.80 belongs to a small range 188.40.248.64/27 under Hetzner AS24940. 188.40.248.64/27 is specifically assigned to a suspicious Romanian hosting provider, thcservers.com, that we’ve previously observed to host exploit kits and malware.

    thcservers.com's main web site
    thcservers.com’s main web site
  3. 188.40.248.80 is serving an SSL cert (sha1: 0f5876c1779b135eca5a6f300a40fc46a9ae1893) where the CN (Common Name) is loyals[.]in. At the time of this writing, loyals[.]in was live and hiding behind reverse proxy services with the actual content delivered from 188.40.248.80. loyals[.]in redirected to the mirror site sh0ping[.]net, a marketplace where various actors sell stolen credit cards plus other accounts and credentials. sh0ping[.]net as well as a mirror site sh0ping[.]su are hosted on 186.2.167.154. sh0ping[.]su has in the past hidden behind reverse proxy services. 186.2.167.154 belongs to AS262254, DANCOM LTD, an ASN that is part of the DDOS-GUARD bulletproof hosting structure. DANCOM has its business registered offshore in Belize and has one upstream peer AS57724, DDOS-GUARD. We’ve tracked DANCOM for a while and have seen it being frequently involved in hosting rogue content such as stolen credit card dump shops, shady financial services, crypto-currency exchangers, Bitcoin mining services, forex trading sites, etc. 186.2.167.154 also hosts sh0[.]pw, which used to be a mirror site of sh0ping[.]net, then morphed to become a Perfect Money to Bitcoin exchange site. 186.2.167.154 serves a valid SSL cert (sha1: 7674db9f93f6f1dee8259d2b0b5e3fbffffa2dfd) created through Comodo CA on August 29th, 2016 and where the CN is sh0ping[.]su.
    sh0ping.su's main web site
    sh0ping.su’s main web site
    sh0.pw offers a Perfect Money to Bitcoin exchange service
    sh0.pw offers a Perfect Money to Bitcoin exchange service

    Offerings on DANCOM/DDOS-GUARD's public web site
    Offerings on DANCOM/DDOS-GUARD’s public web site
  4. From our previous investigations, we’ve seen that Bitcoin phishing campaigns are also delivered via legit google Adwords and Yandex ads redirecting to Bitcoin phishing. We searched for “buying Bitcoin” on google around August 18th, and we picked a few phishing sites in the returned results. One example is blockchln[.]info resolving to 143.95.239.55 which hosts a large number of other phishing sites targeting Paypal and Bitcoin wallets, Bitcoin mixers and sites selling fake European Union, Ukrainian, and Russian passports.
  5. By exploring the co-occurrences of sh0ping[.]su we find more crimeware forums and stolen credit cards dump shops: altenen[.]com, bestvalid[.]org, ccv[.]name, cvv2[.]sale, dexter24[.]ru, dumpsmania[.]net, fatality[.]in, getcc[.]me, getcc[.]su, jallo[.]su, and pos[.]cat.

Bitcoin_fixed_4
Through this investigation, we found more than 280 Bitcoin phishing domains, so it is clear here that your Bitcoins are under attack. Additionally, criminals are using different methods and tricks to stay under the radar, such as using reverse proxy services to hide the IPs serving the illegal content.
With this investigation, we took some measures to increase the detection of NLPRank which runs on Avalanche. Avalanche is the data processing system we built to consume our authoritative DNS logs and power several detection models. Like any machine learning system, we constantly have to retrain the models with fresh data, and teach the machine to detect the latest type of attacks. For that, we have added new Bitcoin wallet pages to NLPRank‘s training set, and the net result was faster and more accurate detection.
Here are some of the latest results detected by NLPRank spoofing a variety of wallets :
Some of our latest hits spoofing blockchain.info:
Domain: blokchain[.]me
Timestamp: 2016-08-20 12:06:59.602000
Score: 0.998563706875

Domain: htp-blockchain[.]online
Score: 0.99872893095
Timestamp: 2016–08–06 03:58:48.751000
Here is a domain spoofing localbitcoins.com:

Domain: localbitcoins[.]co[.]nf
Timestamp: 2016-09-06 12:45:15.733000
Score: 0.954419493675
Here are some other domains we found spoofing localbitcoins.com:

oocalbitcoins[.]com
kocalbitcoins[.]com
llocalbitcoins[.]com

Screen Shot 2016-09-06 at 11.36.24 AM

When looking at this IP address it is apparent there are other phishing domains and malicious activity on it:

Screen Shot 2016-09-07 at 12.13.32 PM

Additionally, we have noticed that these Bitcoin wallet companies are starting to take better prevention measures in protecting their brands from being spoofed; here is an example of the online wallet company Coinbase registering a bunch of domains that typically would be used for typosquatting:
Screen Shot 2016-09-07 at 12.52.36 PM
However, even with this protection in place, criminals are able to register phishing domains, but OpenDNS was able to detect these new Coinbase phishes:
Domain: lcoinbase.com
Timestamp: 2016–08–01T01:44:05.296Z
Score: 0.9941726922988892
Screen Shot 2016-08-26 at 1.15.58 PM

There are other domains associated with this email address also trying to phish other wallets such as Bitfinex:
bitfinrx[.]com
IOC
Malicious registrants:
blockchains@info.com
josephallann@mail.com
buckley@email.com
c.king@mail.com
marke9dkemfet@gmail.com
Domains: iocs_blockchain
With a combination of unsupervised machine learning techniques and threat hunting, OpenDNS remains at the forefront of detecting these type of phishing attacks and protecting these online crypto-currency wallets.

Conclusion

This investigation was a combination of algorithm-based detection and threat intelligence analyst research, which shows once more the importance of multi-pronged approaches for efficient preventive security. In our research work, we value equally both human domain expertise and up-to-date ML-based detection models.

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella