• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Keeping your crypto safe as cryptocurrency phishing attacks soar

Author avatar of Artsiom HolubArtsiom Holub
April 27, 2021 • 4 minute read
View blog >

With cryptocurrency reaching all-time highs (more than doubling since the start of the year), many people have looked to it as a form of investment. But as investors turn their attention to crypto, so do malicious actors. The market is set-up for attackers to cash in.

As the price of bitcoin (BTC) and other cryptocurrencies go high, we observe an increase in all types of attacks targeting crypto users. In contrast with common banking operations, cryptocurrency transactions are irreversible. When cryptocurrency is sent to a third party, the payment cannot be stopped or reversed. We covered a phishing scheme which left thousands of customers without their funds before and today we want to share what changes we observed within the past few months in the cryptocurrency threat landscape.

While phishing became less prevalent and less successful, we still track actors targeting cryptocurrency exchanges and trading platforms.

Some attempts are obvious and easy to spot, others are more sophisticated. These attacks use certificates which are either obtained by using hosting services such as Cloudflare, or obtained from an actual certificate authority.

website certificate cryptocurrency attack Logins Kraken

Wildcard SSL certificate from CloudFlare used by phishing domain

Cryptocurrency attack - Website certificate Option Paxful

SSL certificate from CA used by phishing domain

How attackers target Blockchain

Malicious actors which target Blockchain.com still utilize homograph attacks. These attacks are based on standards of the modern internet that allow the creation (and display in web browsers) of URLs with characters from various language sets (with non-ASCII letters). In the example below the real URL is login.xn--blockchin-c3a[.]com, but when rendered by the browser looks relatively legitimate. The issue is worse on mobile devices where the URL is not always displayed in full.

Malicious url used for blockchain login

These fraudulent websites are distributed through a variety of methods including email, SMS text messages, social media, and search-engine advertisements. On average, such campaigns last for three to seven days and affect 20 to 40 users daily.

Visits to malicious cryptocurrency sites

Cryptocurrency users are not the only ones in danger of their funds being stolen. Exchanges themselves can become victims of successful hacker attacks.

Uh-oh, what’s in your wallet?

With that in mind, more cryptocurrency owners turn towards cold storage options or wallets stored on their own computers. However, while you might think that you’ve made your crypto currency more secure, quite the opposite can happen. Malicious actors target wallets and their owners just as often as they target trading platforms or exchanges. Malicious wallets make their way into popular appstores and online by using fraudulent websites and trojanized binaries.

Here is an example of such an attack:

Malicious domain hosting trojanized wallet binaries

Malicious domain hosting trojanized wallet binaries

What makes things worse is that both the malicious binary and the legitimate one are detected as malicious by AV engines.

Malicious binary

Malicious binary
Hash: 19388773fb5ac96ca0ea611bd10e71892c820effb0a70ee414faab03d5a2444b

Legitimate binary

Legitimate binary

Attacker controlled server has consistent traffic

Attacker controlled server has consistent traffic peaking at 1.5k queries

If the user has such a wallet installed, all data including passphrase and private keys are exfiltrated to a server controlled by the attacker, who will transfer any available funds. Sometimes fraudulent wallets pose as an update to existing versions. In this case the user is transferred to an online webpage which asks to update or import previously generated wallets.

screen captures - restore and import wallets

Malicious wallet asking for user secrets

However, the end goal of the attacker is the same – to recreate the wallet with user secrets and steal his funds. Other targeted hardware wallets include Ledger, Trezor and Mycelium.

traffic to malicious cryptocurrency domains over last 28 days

Overall traffic to malicious cryptocurrency domains over last 28 days (excluding C&C traffic)

Tips to keeping your cryptocurrency safe

So if you’re a seasoned cryptoveteran or a new crypto enthusiast, you have to pay extreme caution while trading or storing your cryptocurrency. Here are a few key tips to keep your organization protected on every front:

  • Be wary of common identifiers of phishing domains such as typos, broken links, and unusual contact information.
  • Avoid clicking any links which come in the emails, sms, or social media.
  • Be familiar with basic security such as:
    • Two-factor authentication
    • What suspicious files look like
    • How to evaluate wallet apps or software.

The more widely a cryptocurrency is used, the more malicious actors they will attract. 

Cisco Umbrella helps protect against malicious cryptomining

According to recent research using Cisco Umbrella global cloud architecture, 69% of Cisco Umbrella customers see cryptomining traffic on a daily basis. Cisco Umbrella resolves approximately 620 billion DNS requests daily — far more than any other security vendor. By analyzing and learning from internet activity patterns, Cisco Umbrella automatically uncovers current and emerging threats. Cisco Umbrella customers can detect, block, and protect against unwanted cryptomining in their environments, at no extra charge.

IOCs:
electrum-official[.]org
epayment-paxful[.]com
paxfuldeals[.]com
option-paxful[.]com
ppaxful[.]com
paxful-paid-offer[.]com
buybitcoinonline-paxful[.]com
legalpayment-paxful[.]com
gateway-paxful[.]com
ledger-live[.]co
ledgertoolkit[.]com
ledger-web[.]us
ledger[.]com[.]device[.]id[.]756728[.]app
wallet-login[.]app
ledger[.]com-authorization-login[.]app
ledger[.]com-verification-login[.]app
ledger[.]com-activity-login[.]app
ledger[.]com-login-secure[.]app
ledger[.]com-account-login[.]app
ledger[.]com-login-wallet[.]app
ledger[.]com[.]login-account[.]app
ledger[.]com[.]login-verification[.]app
ledger[.]com-login-activity[.]app
coinbase[.]com[.]connect[.]id73737[.]app
usa-ledger[.]com
ltc-electrum[.]org
coinbaseprologin-pro[.]com
electrumupdate[.]cc
electrumservice[.]com
electrum[.]download
electrum-bch[.]com
exodus-login[‘.]com
logins-kraken-in[‘.]com
kraken-app[.]com
kraken-accounts-fr[.]com
kraken-balances-us[.]com
exoduswalletweb[.]live
exodusmainwallets[.]live
exoduswalletsio[.]live
com-account-login[.]app
com-activity-login[.]app
com-authorization-login[.]app
com-login-account[.]app
com-login-activity[.]app
com-login-secure[.]app
com-login-wallet[.]app
com-verification-login[.]app
poloniex-asset[.]com
kraken-logins-fi[.]com
xn--blockchin-c3a[.]com
Xn–coinbse-9wa[.]com

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella