• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Attacks on wallets and AdWords correlate with Bitcoin price surge

Author avatar of Artsiom HolubArtsiom Holub
Updated — September 11, 2020 • 4 minute read
View blog >

Over the past year as cryptocurrency has steadily increased well past $800,  OpenDNS Labs has been diligently tracking Bitcoin wallet phishing campaigns. With this most recent uptick in price we have observed a recent rise during this holiday season in phishing domains to steal access to online wallets.  This latest spike was very similar to the the wave of phishing we observed this past summer when Bitcoin price had a sharp increase. Although most of the phishing sites we detect are specifically setup for phishing purposes we are also seeing an increase in the compromise of legitimate sites in which they are modified to host Bitcoin wallet phishing along with other phishing content. In this post we will discuss our latest findings in phishing content over these past couple months and also some of the new trends we have been observing in our DNS traffic.

New trends in cyber attacks

One of the most interesting trends we have been observing as of late is adversaries targeting Gmail accounts in order to gain access to Google Adwords and improve SEO thereby percolating these Blockchain.info phishes to the top of search results. Here are a few examples of WHOIS registrants we have detected which display this type of behavior:

Figure 1
Example 1 of suspicious WHOIS registrants - Cisco Umbrella Blog

Figure 2
Example 2 of suspicious WHOIS registrants - Cisco Umbrella Blog

Figure 3
Example 3 of suspicious WHOIS registrants - Cisco Umbrella Blog

Figure 4
Example 4 of suspicious WHOIS registrants - Cisco Umbrella Blog

Figure 5
Example 5 of suspicious WHOIS registrants - Cisco Umbrella Blog

Our new IP and Registrant classification system that we have developed to pivot on results from our phishing classifier using Investigate data has proven well to detect these bulletproof phishing infrastructures targeting Blockchain wallets. With this we are also able to block these infrastructures before new phishing sites are created and hosted on them.

Figure 6
We are able to block infrastructures before new phishing sites are created and hosted on them - Cisco Umbrella Blog

Here’s an example of a compromised site exhibiting domain shadowing features hosting Blockchain.info phishing:

blockchain.info-login-verification-portal-sign-in[.]blockchain[.]info[.]update-com-blockchainupdate-login-attempt-come[.]dheekshapromoters[.]com

Compromised sites hosting Bitcoin wallet phishes are something we don’t normally see in the wild. It is more often the case that we see dedicated Bitcoin wallet phishing sites. This is an indicator that this is online wallet phishing is definitely here to stay.

Here is the 2ld of that domain dheekshapromoters.com, which serves as an index page for many other phishing sites:

Figure 7
Figure 1: Here is the 2ld of that domain dheekshapromoters.com, which serves as an index page for many other phishing sites - Cisco Umbrella Blog

Figure 8
Figure 2: Here is the 2ld of that domain dheekshapromoters.com, which serves as an index page for many other phishing sites - Cisco Umbrella Blog

Figure 9
Figure 3: Here is the 2ld of that domain dheekshapromoters.com, which serves as an index page for many other phishing sites - Cisco Umbrella Blog

Figure 10Figure 4: Here is the 2ld of that domain dheekshapromoters.com, which serves as an index page for many other phishing sites - Cisco Umbrella Blog

Here is a list of a bunch of domains created by meiravash@hotmail.com spoofing Blockchain.info in November around the holidays as shopping season starts:

Domain, WHOIS Creation Date
blockchainls.info 2016-11-03
blockchanfo.info 2016-11-03
blockchianfo.info 2016-11-03
blockchainle.info 2016-11-04
blockchainln.info 2016-11-04
blockchianin.info 2016-11-05
blockchianls.info 2016-11-05
blockchianie.info 2016-11-08
blockchianle.info 2016-11-08
blockchianln.info 2016-11-08
blockchinfo.info 2016-11-14
blockchlanfo.info 2016-11-14
blocklchaina.info 2016-11-14
blockchanifo.info 2016-11-16
blockchianas.info 2016-11-16
blockichianfo.info 2016-11-16
blockchiania.info 2016-11-21
blockchianias.info 2016-11-21
blockchianies.info 2016-11-21
blockchianisa.info 2016-11-21
blockichianis.info 2016-11-21
blockchiansa.info 2016-11-22
blockchianse.info 2016-11-22
blockchiensa.info 2016-11-22
blackclhian.info 2016-12-07
blackichian.info 2016-12-07
blacklchian.info 2016-12-07

Figure 11 shows a visualization of one of the registrants with OpenGraphiti:

Figure 11
Visualization of one of the registrants with OpenGraphiti - Cisco Umbrella Blog

The fact that our algorithms are detecting phishing campaigns as soon as they go live, and in some cases before they are even created/registered, is essential to providing the best protection for our users. However, it wouldn’t be possible to build those algorithms without a deep understanding of the initial cases that produced such campaigns. Our hypothesis’ are based on analysis of the next graphs, which include Google interest of the keyword “buy bitcoins” from Google, changes of the Bitcoin prices from Blockchain, ransomware infections and detected phishing attacks on the Bitcoin wallets from OpenDNS.

Figure 12
This chart shows a strong correlation between popularity, Bitcoin price and Bitcoin phishing attacks - Cisco Umbrella Blog

As we can see from the graphs in Figure 12,  there is a strong correlation between popularity, Bitcoin price and Bitcoin phishing attacks. We also can observe that ransomware infections do not really correlate with Bitcoin price while most phishing campaigns against Bitcoin wallets actually do, meaning the more expensive Bitcoin will become the more attacks we will see.

Peaks of ransomware infections are highly dependent on delivery methods and not necessarily Bitcoin’s popularity. Ransomware is, after all, some criminal’s stable malicious business. In Figure 11 we can see that peak of the infections correlates with the appearance of the Locky in November (when it also switched to mainly being delivered via phishing), while the least amount of infections was detected in June, when the Angler Exploit Kit disappeared. So we can hypothesize that even when phishing and ransomware campaigns share same infrastructure, they have different organizations behind them, which work independently. Also that explains the fact that injecting malicious Adword ads is the main delivery method of such phishing campaigns.

Let’s try to reproduce actions of an average PC user in case of ransomware infection:
Edward visits some website, his browser gets exploited via malicious ad, and 2 minutes later he sees this type of message on his screen (depends on ransomware family):

Figure 13
Example of trying to reproduce actions of an average PC user in case of ransomware infection - Cisco Umbrella Blog

So when Edward follows the URL he gets instructions to buy bitcoins with the list of places where he can do this. But just how much should he trust someone who just encrypted all of his data in exchange for ransom? That would be the perfect place for malicious actor to not only extort the ransom money, but also the user’s credentials. However, we haven’t seen any of phishing domains listed there from observed ransomware samples. So, if Edward searches on Google to find out how to buy bitcoins, only then does forged Adword accounts come in play. Edward gets served the phishing domain from Adwords, enters his credentials, buys bitcoins and pays the ransom. Everything seems fine but by now not only he lost money due to the ransom, but most of his personal information is compromised. Stolen credentials are a lot cheaper than most ransom, so ransomware authors would not try to steal credentials, but rather get paid.

Conclusion

It looks like these cryptocurrency technologies will continue to gain momentum into 2017, and with that so will criminal activity. OpenDNS Labs will continue to monitor these trends in our DNS traffic for phishing pages intended to steal online wallets’ credentials, and continue to share our results.

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella