Researchers have discovered a large-scale phishing scheme that aims to steal Bitcoins and obtain blockchain wallet details.
According to a blog post by Artsiom Holub, Dhia Mahjoub and Jeremiah O'Connor at OpenDNS, the focus on Bitcoin is down to it being easier to steal than normal cash.
The new phishing campaign was spotted by security researchers from Cyren at the beginning June, when a phishing campaign using the domain blocklchain[.]info as its web address began to spread using Google AdWords.
The OpenDNS team spotted that websites hosted on certain IP addresses had a history of abuse and were behind other scams and malicious websites in the past, such as fake banking and iCloud websites and more.
“Given this shady content, we blocked the entire IP Range for our customers and as a reference, we provide the list of domains on the 18.104.22.168/24 range,” said the researchers.
Further investigation revealed that the IP address belonged to a firm registered in the Seychelles called Novogara. It was previously known as QUASINETWORKS. Prior to that, it was named Ecatel and was based in the Netherlands until December 2015.
Novogara is known as a “bulletproof hosting provider”, which gives protection to customers regardless of whether or not they are involved in criminal activities. As Ecatel, it was subject in 2012 to DDoS attacks by Anonymous for hosting child porn.
Cross-referencing hosted domains and Whois registrations identified six different emails used to register blockchain spoof domains.
“Investigating IP space, name servers and Whois indicators sheds light on how frequently criminal actors recycle their infrastructures and resources, and makes evident just how heavily they rely on bulletproof offshore hosting providers to deliver their malware and phishing campaigns,” said the researchers.
They added that as cryptocurrency technologies gain momentum, so too will a new set of security problems, so it's imperative these online wallet companies deploy proper security methods to protect against this new wave of targeted phishing and typosquatting attacks.
“Rogue and bulletproof hosting providers continue to provide a safe haven for these malware and phishing campaigns. Our objective at OpenDNS is to track and predictively block malicious content via DNS traffic analysis and proactive monitoring of various indicators such as IP space, Whois, and SSL certs,” they said.
Jamie Moles, principal security consultant at Lastline, told SCMagazineUK.com that the most likely people to fall for this are individuals who while technical enough to be involved in the use of bitcoins (it's still a fairly niche game) are not cyber-security savvy.
“There has been an uptake in bitcoin usage by victims of ransomware over the past 12 months and many of these individuals are barely technical enough to get bitcoin up and running in order to pay a ransom and save their data – potentially just the kind of person who could fall for a well-crafted phishing email and unlikely to be protected by any significant APT detection solution,” he said.
In a side note, Bitcoin's price broke the US$775 (£530) barrier on Friday, trading briefly at a $778.70 high not seen since early February, 2014.