Cisco Umbrella

Enterprise network security

Threats

Bitcoin Phishing: The Next Wave

By Artsiom Holub

Bitcoin Phishing Not Losing Momentum

In June, we examined a new wave of Bitcoin wallet phishing against a backdrop of pre-Brexit anxiety and Bitcoin’s price skyrocketing past $775. A lot has happened since then: the UK voted to leave the EU, some big Bitcoin wallets were hacked, and the price of Bitcoin plunged (though is now rebounding). Throughout it all, attackers have consistently tried to phish users to gain access to Bitcoin wallets.
This blog outlines a detailed investigation into this new phishing trend which began with reports of a phishing campaign targeting Bitfinex customers after the company was breached. At that same time, our ML-based model, NLPRank, picked up this phishing campaign after we enhanced it to detect Bitcoin wallet phishes. After factoring in the delivery mechanisms of the campaign we covered in the previous blog, we also expanded our search to Adwords.
Expanding technical intelligence from Bitcoin phishing detection through hosting IPs, registrant emails, SSL certs, and OSINT hunting, we show how we cast a wider net on a variety of active cybercrime content: mainly phishing against other brands and credit card dump shops.

Investigation main steps

  1. On August 2nd, Bitfinex suffered a breach that caused them $70 million in losses. Because we know malicious actors traditionally seek to exploit such events and therefore fine-tune our antennae in their wake, we picked up a phishing campaign around August 5th in which presumed Bitfinex customers received emails inviting them to update their credentials. The URL in the emails was, however, a phishing page against Bitfinex: ibitfinex[.]com. We observed a spike of DNS traffic to ibitfinex[.]com on August 5th.
  2. ibitfinex[.]com is hosted on 188.40.248.80. This IP is hosting other phishing and various toxic content as well as bitmixer-io[.]com, a phishing domain against bitmixer.io which is a legit bitcoin mixing website (we won’t argue whether Bitcoin mixing itself is legit or not). 188.40.248.80 belongs to a small range 188.40.248.64/27 under Hetzner AS24940. 188.40.248.64/27 is specifically assigned to a suspicious Romanian hosting provider, thcservers.com, that we’ve previously observed to host exploit kits and malware.

    thcservers.com's main web site
    thcservers.com’s main web site
  3. 188.40.248.80 is serving an SSL cert (sha1: 0f5876c1779b135eca5a6f300a40fc46a9ae1893) where the CN (Common Name) is loyals[.]in. At the time of this writing, loyals[.]in was live and hiding behind reverse proxy services with the actual content delivered from 188.40.248.80. loyals[.]in redirected to the mirror site sh0ping[.]net, a marketplace where various actors sell stolen credit cards plus other accounts and credentials. sh0ping[.]net as well as a mirror site sh0ping[.]su are hosted on 186.2.167.154. sh0ping[.]su has in the past hidden behind reverse proxy services. 186.2.167.154 belongs to AS262254, DANCOM LTD, an ASN that is part of the DDOS-GUARD bulletproof hosting structure. DANCOM has its business registered offshore in Belize and has one upstream peer AS57724, DDOS-GUARD. We’ve tracked DANCOM for a while and have seen it being frequently involved in hosting rogue content such as stolen credit card dump shops, shady financial services, crypto-currency exchangers, Bitcoin mining services, forex trading sites, etc. 186.2.167.154 also hosts sh0[.]pw, which used to be a mirror site of sh0ping[.]net, then morphed to become a Perfect Money to Bitcoin exchange site. 186.2.167.154 serves a valid SSL cert (sha1: 7674db9f93f6f1dee8259d2b0b5e3fbffffa2dfd) created through Comodo CA on August 29th, 2016 and where the CN is sh0ping[.]su.
    sh0ping.su's main web site
    sh0ping.su’s main web site
    sh0.pw offers a Perfect Money to Bitcoin exchange service
    sh0.pw offers a Perfect Money to Bitcoin exchange service

    Offerings on DANCOM/DDOS-GUARD's public web site
    Offerings on DANCOM/DDOS-GUARD’s public web site
  4. From our previous investigations, we’ve seen that Bitcoin phishing campaigns are also delivered via legit google Adwords and Yandex ads redirecting to Bitcoin phishing. We searched for “buying Bitcoin” on google around August 18th, and we picked a few phishing sites in the returned results. One example is blockchln[.]info resolving to 143.95.239.55 which hosts a large number of other phishing sites targeting Paypal and Bitcoin wallets, Bitcoin mixers and sites selling fake European Union, Ukrainian, and Russian passports.
  5. By exploring the co-occurrences of sh0ping[.]su we find more crimeware forums and stolen credit cards dump shops: altenen[.]com, bestvalid[.]org, ccv[.]name, cvv2[.]sale, dexter24[.]ru, dumpsmania[.]net, fatality[.]in, getcc[.]me, getcc[.]su, jallo[.]su, and pos[.]cat.

Bitcoin_fixed_4
Through this investigation, we found more than 280 Bitcoin phishing domains, so it is clear here that your Bitcoins are under attack. Additionally, criminals are using different methods and tricks to stay under the radar, such as using reverse proxy services to hide the IPs serving the illegal content.
With this investigation, we took some measures to increase the detection of NLPRank which runs on Avalanche. Avalanche is the data processing system we built to consume our authoritative DNS logs and power several detection models. Like any machine learning system, we constantly have to retrain the models with fresh data, and teach the machine to detect the latest type of attacks. For that, we have added new Bitcoin wallet pages to NLPRank‘s training set, and the net result was faster and more accurate detection.
Here are some of the latest results detected by NLPRank spoofing a variety of wallets :
Some of our latest hits spoofing blockchain.info:
Domain: blokchain[.]me
Timestamp: 2016-08-20 12:06:59.602000
Score: 0.998563706875

Domain: htp-blockchain[.]online
Score: 0.99872893095
Timestamp: 20160806 03:58:48.751000
Here is a domain spoofing localbitcoins.com:

Domain: localbitcoins[.]co[.]nf

Timestamp: 2016-09-06 12:45:15.733000
Score: 0.954419493675
Here are some other domains we found spoofing localbitcoins.com:

oocalbitcoins[.]com
kocalbitcoins[.]com
llocalbitcoins[.]com

Screen Shot 2016-09-06 at 11.36.24 AM

When looking at this IP address it is apparent there are other phishing domains and malicious activity on it:

Screen Shot 2016-09-07 at 12.13.32 PM

Additionally, we have noticed that these Bitcoin wallet companies are starting to take better prevention measures in protecting their brands from being spoofed; here is an example of the online wallet company Coinbase registering a bunch of domains that typically would be used for typosquatting:
Screen Shot 2016-09-07 at 12.52.36 PM
However, even with this protection in place, criminals are able to register phishing domains, but OpenDNS was able to detect these new Coinbase phishes:
Domain: lcoinbase.com
Timestamp: 20160801T01:44:05.296Z
Score: 0.9941726922988892
Screen Shot 2016-08-26 at 1.15.58 PM

There are other domains associated with this email address also trying to phish other wallets such as Bitfinex:
bitfinrx[.]com
IOC
Malicious registrants:
blockchains@info.com
josephallann@mail.com
buckley@email.com
c.king@mail.com
marke9dkemfet@gmail.com
Domains: iocs_blockchain
With a combination of unsupervised machine learning techniques and threat hunting, OpenDNS remains at the forefront of detecting these type of phishing attacks and protecting these online crypto-currency wallets.

Conclusion

This investigation was a combination of algorithm-based detection and threat intelligence analyst research, which shows once more the importance of multi-pronged approaches for efficient preventive security. In our research work, we value equally both human domain expertise and up-to-date ML-based detection models.