Complex Bitcoin Phishing Scheme Revealed - Cisco's OpenDNS Security Team

A phishing scheme which seeks to steal your Bitcoin and Blockchain wallet details could be lurking around you and which you could easily fall for.
A phishing scheme which seeks to steal your Bitcoin and Blockchain wallet details could be lurking around you and which you could easily fall for.

Criminals have started staging phishing campaigns having discovered that Bitcoin can provide an easier way to steal, says Cisco’s OpenDNS security team after they revealed a complex phishing scheme aimed at collecting user credentials from various Bitcoin-related services.

The discovery was made after the price of the digital currency rose by over 58% to reach about $775 in the last month (though it has dropped in a week) based on several factors. The latter includes the finite and constrained supply of Bitcoin, its pending supply growth reduction next month, the anticipated supply drop which will drive demand and more people using and wanting Bitcoin.

AdWords campaigns drove traffic towards the phishing pages

The recent Bitcoin frenzy, the team says, drew the attention of traders, economists and bankers as well as criminals.

The team says on their website:

“Thus, we were not too surprised when  on June 9 2016 OpenDNS detected with our model NLPRank a new phishing attack on the domain Blockchain[.info] wallet targeting the cloud-based Bitcoin wallet company blockchain[.] info.”

They noted that the first signs of the phishing campaign were noticed by security researchers from Cyren at the beginning June, when a phishing campaign utilizing the domain blocklchain[.]info as its web address began to spread using Google AdWords.

"Blockchain" or "bioklchain"?

Cyren says it detected the investment pattern of a phishing campaign - rental of botnets, purchase of exploit kits, and the acquisition of compromised site lists - as its attack vector is pay-per-click advertising via Google AdWords.

The security researchers from CYREN explain:

“The Ad showed up in response to searches for ‘Blockchain’ – a Bitcoin related term. Close analysis of the advert shows that the link is actually to bioklchain.info – but at a casual glance the link appears to lead to the legitimate ‘blockchain.info.’ Interestingly, Bitcoin addresses are Base58Check encoded so they exclude potentially confusing characters such as 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols ‘\+' and ‘/,'”,.”

In effect, ‘bioklchain’ leads to a fake ‘blockchain’ login page for unwary victims to use the phishing page in which only has one working link – the ‘login now’ button.

Does Google know about the abuse of AdWords?

Cyren claims that Google is aware of this sort of abuse of AdWords with the search giant having claimed it has blocked 7,000 phishing sites which tried to use AdWords in 2015.

The OpenDNS Labs detected blolkchain[.]com which was another phish on the same IP 89.248.171.88 June 13 2016. They were able to uncover three anonymous offshore hosting companies using the identified websites’ IP space.

Cisco security team says:

“Our findings show that this is a new campaign, since most of these domains were registered on May 26 2016, with new domains surfacing in our logs almost every day. As cryptocurrency technologies gain momentum, so too will a new set of security problems, so it’s imperative these online wallet companies deploy proper security methods to protect against this new wave of targeted phishing and typosquatting attacks.”