• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Threats

Bitcoin Phishing: The Next Wave

By Artsiom Holub
Posted on September 15, 2016
Updated on July 24, 2020

Share

Facebook0Tweet0LinkedIn0

Bitcoin Phishing Not Losing Momentum

In June, we examined a new wave of Bitcoin wallet phishing against a backdrop of pre-Brexit anxiety and Bitcoin’s price skyrocketing past $775. A lot has happened since then: the UK voted to leave the EU, some big Bitcoin wallets were hacked, and the price of Bitcoin plunged (though is now rebounding). Throughout it all, attackers have consistently tried to phish users to gain access to Bitcoin wallets.
This blog outlines a detailed investigation into this new phishing trend which began with reports of a phishing campaign targeting Bitfinex customers after the company was breached. At that same time, our ML-based model, NLPRank, picked up this phishing campaign after we enhanced it to detect Bitcoin wallet phishes. After factoring in the delivery mechanisms of the campaign we covered in the previous blog, we also expanded our search to Adwords.
Expanding technical intelligence from Bitcoin phishing detection through hosting IPs, registrant emails, SSL certs, and OSINT hunting, we show how we cast a wider net on a variety of active cybercrime content: mainly phishing against other brands and credit card dump shops.

Investigation main steps

  1. On August 2nd, Bitfinex suffered a breach that caused them $70 million in losses. Because we know malicious actors traditionally seek to exploit such events and therefore fine-tune our antennae in their wake, we picked up a phishing campaign around August 5th in which presumed Bitfinex customers received emails inviting them to update their credentials. The URL in the emails was, however, a phishing page against Bitfinex: ibitfinex[.]com. We observed a spike of DNS traffic to ibitfinex[.]com on August 5th.
  2. ibitfinex[.]com is hosted on 188.40.248.80. This IP is hosting other phishing and various toxic content as well as bitmixer-io[.]com, a phishing domain against bitmixer.io which is a legit bitcoin mixing website (we won’t argue whether Bitcoin mixing itself is legit or not). 188.40.248.80 belongs to a small range 188.40.248.64/27 under Hetzner AS24940. 188.40.248.64/27 is specifically assigned to a suspicious Romanian hosting provider, thcservers.com, that we’ve previously observed to host exploit kits and malware.

    thcservers.com's main web site
    thcservers.com’s main web site
  3. 188.40.248.80 is serving an SSL cert (sha1: 0f5876c1779b135eca5a6f300a40fc46a9ae1893) where the CN (Common Name) is loyals[.]in. At the time of this writing, loyals[.]in was live and hiding behind reverse proxy services with the actual content delivered from 188.40.248.80. loyals[.]in redirected to the mirror site sh0ping[.]net, a marketplace where various actors sell stolen credit cards plus other accounts and credentials. sh0ping[.]net as well as a mirror site sh0ping[.]su are hosted on 186.2.167.154. sh0ping[.]su has in the past hidden behind reverse proxy services. 186.2.167.154 belongs to AS262254, DANCOM LTD, an ASN that is part of the DDOS-GUARD bulletproof hosting structure. DANCOM has its business registered offshore in Belize and has one upstream peer AS57724, DDOS-GUARD. We’ve tracked DANCOM for a while and have seen it being frequently involved in hosting rogue content such as stolen credit card dump shops, shady financial services, crypto-currency exchangers, Bitcoin mining services, forex trading sites, etc. 186.2.167.154 also hosts sh0[.]pw, which used to be a mirror site of sh0ping[.]net, then morphed to become a Perfect Money to Bitcoin exchange site. 186.2.167.154 serves a valid SSL cert (sha1: 7674db9f93f6f1dee8259d2b0b5e3fbffffa2dfd) created through Comodo CA on August 29th, 2016 and where the CN is sh0ping[.]su.
    sh0ping.su's main web site
    sh0ping.su’s main web site
    sh0.pw offers a Perfect Money to Bitcoin exchange service
    sh0.pw offers a Perfect Money to Bitcoin exchange service

    Offerings on DANCOM/DDOS-GUARD's public web site
    Offerings on DANCOM/DDOS-GUARD’s public web site
  4. From our previous investigations, we’ve seen that Bitcoin phishing campaigns are also delivered via legit google Adwords and Yandex ads redirecting to Bitcoin phishing. We searched for “buying Bitcoin” on google around August 18th, and we picked a few phishing sites in the returned results. One example is blockchln[.]info resolving to 143.95.239.55 which hosts a large number of other phishing sites targeting Paypal and Bitcoin wallets, Bitcoin mixers and sites selling fake European Union, Ukrainian, and Russian passports.
  5. By exploring the co-occurrences of sh0ping[.]su we find more crimeware forums and stolen credit cards dump shops: altenen[.]com, bestvalid[.]org, ccv[.]name, cvv2[.]sale, dexter24[.]ru, dumpsmania[.]net, fatality[.]in, getcc[.]me, getcc[.]su, jallo[.]su, and pos[.]cat.

Bitcoin_fixed_4
Through this investigation, we found more than 280 Bitcoin phishing domains, so it is clear here that your Bitcoins are under attack. Additionally, criminals are using different methods and tricks to stay under the radar, such as using reverse proxy services to hide the IPs serving the illegal content.
With this investigation, we took some measures to increase the detection of NLPRank which runs on Avalanche. Avalanche is the data processing system we built to consume our authoritative DNS logs and power several detection models. Like any machine learning system, we constantly have to retrain the models with fresh data, and teach the machine to detect the latest type of attacks. For that, we have added new Bitcoin wallet pages to NLPRank‘s training set, and the net result was faster and more accurate detection.
Here are some of the latest results detected by NLPRank spoofing a variety of wallets :
Some of our latest hits spoofing blockchain.info:
Domain: blokchain[.]me
Timestamp: 2016-08-20 12:06:59.602000
Score: 0.998563706875

Domain: htp-blockchain[.]online
Score: 0.99872893095
Timestamp: 2016–08–06 03:58:48.751000
Here is a domain spoofing localbitcoins.com:

Domain: localbitcoins[.]co[.]nf
Timestamp: 2016-09-06 12:45:15.733000
Score: 0.954419493675
Here are some other domains we found spoofing localbitcoins.com:

oocalbitcoins[.]com
kocalbitcoins[.]com
llocalbitcoins[.]com

Screen Shot 2016-09-06 at 11.36.24 AM

When looking at this IP address it is apparent there are other phishing domains and malicious activity on it:

Screen Shot 2016-09-07 at 12.13.32 PM

Additionally, we have noticed that these Bitcoin wallet companies are starting to take better prevention measures in protecting their brands from being spoofed; here is an example of the online wallet company Coinbase registering a bunch of domains that typically would be used for typosquatting:
Screen Shot 2016-09-07 at 12.52.36 PM
However, even with this protection in place, criminals are able to register phishing domains, but OpenDNS was able to detect these new Coinbase phishes:
Domain: lcoinbase.com
Timestamp: 2016–08–01T01:44:05.296Z
Score: 0.9941726922988892
Screen Shot 2016-08-26 at 1.15.58 PM

There are other domains associated with this email address also trying to phish other wallets such as Bitfinex:
bitfinrx[.]com
IOC
Malicious registrants:
blockchains@info.com
josephallann@mail.com
buckley@email.com
c.king@mail.com
marke9dkemfet@gmail.com
Domains: iocs_blockchain
With a combination of unsupervised machine learning techniques and threat hunting, OpenDNS remains at the forefront of detecting these type of phishing attacks and protecting these online crypto-currency wallets.

Conclusion

This investigation was a combination of algorithm-based detection and threat intelligence analyst research, which shows once more the importance of multi-pronged approaches for efficient preventive security. In our research work, we value equally both human domain expertise and up-to-date ML-based detection models.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella