CISCO And Ukrainian Cyber Police Uncovers Bitcoin Scam
A team comprising of CISCO security researchers and Cyber Police of Ukraine have detected a bitcoin phishing scam running since last 3 years. As per the news release by Cisco’s Talos cybersecurity team, an Ukrainian hacker group dubbed COINHOADER and stole around $50 million from Bitcoin holders who kept their digital assets in Blockchain.info. In brief, Blockchain.info is one of the most popular digital currency wallet. Talos was first informed about phishing by Cyberpolice in Feb 2017, after phishing scheme, targeted the blockchain.infowallet service through Google Ads that contained “gateway phishing links” and generating over 200,000 client search queries.
In a blog post, Dave Maynor and Jeremiah O'Connor detailed the Coinhoarder phishing scam, which they said Cisco has been investigating in the past six months in partnership with the Ukrainian Cyberpolice. Blog said,
“The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims.” Blog further elaborated by stating, “This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals.”
As per the Security researchers at Cisco, the campaign was very simple, and after initial setup, the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims. This campaign targeted specific geographic regions like Nigeria, Ghana, etc where first language is not English & local currencies were unstable. Those behind the attack would create websites similar to Blockchain but with different domain names - "block-clain.info" and "blockchien.info" among them - that the casual user may not notice. They then "leveraged Google Adwords to poison user search results to steal users' wallets, thereby directing more traffic to those pages. After clicking these links, users were redirected to phishing copies of the real site Blockchain.info, which manages the purses Blockchain.info and Blockchain.com.
Cisco in cooperation with the Ukrainian cyber police has been studying this "large-scale phishing campaign" for six months. Cisco traced the group's activity back to as early as 2015 and estimated that "tens of millions of dollars" in cryptocurrency had been stolen since that year. After the discovery of this large-scale phishing scheme, Cisco began flagging the associated domains as suspicious, and used DNS requests to find and block other domains opened by the same registrant of the initial site. To protect customers from further attacks, CISCO has revealed a list of IP addresses associated with the phishing scam.