14 Feb Talos turns up $50M digital wallet cybercriminals
Shades of The Bourne Identity. For more than six months, Cisco’s Talos Intelligence group tracked a notorious Ukrainian cybercrime group called Coinhoarder.
The group has stolen more than $50 million in cryptocurrency from users of digital wallets such as Blockchain.info among other cybercrime attacks.
Working with Ukraine Cyberpolicija, the Talos team unearthed a whole new set of sneaky tactics designed to steal digital coins from their owners.
New techniques fool virtual coin owners
While the campaign used the latest technology and expert levels of programming, the scam was surprisingly simple.
The criminals placed Google Adwords to attract victims to more than 85 phony website domains (full list) used to fool digital wallet clients. The domains included many common misspellings with typos easily made by unsuspecting clients such as bockchain.info, blockchians.info, blokhchain.com, blckchians.info, biockchain.biz and many others.
With more than 200,000 wallet users, Blockchain.info was a perfect target.
Once victims clicked on the Google ad, they were taken to a phony URL which could be easily overlooked because of its similarity to the real digital wallet URL.
Once client information was entered, or a new account created, malicious scripts sent an email with phony credentials and passwords with shared xpub and xpriv key information.
The script was sophisticated enough to bypass two-factor authentication as well, enabling the cybercriminals to steal credentials and cryptocurrency from user wallets.
Scam targeted many digital wallets
In a blog post about the Coinhoarder case, Talos said the criminals operated in several languages and countries:
“Cisco identified an attack pattern in which the threat actors behind the operation would establish a “gateway” phishing link that would appear in search results among Google Ads. When searching for crypto-related keywords such as “blockchain” or “bitcoin wallet,” the spoofed links would appear at the top of search results. When clicked, the link would redirect to a “lander” page and serve phishing content in the native language of the geographic region of the victim’s IP address.”
Fake Google ads reach millions
The reach of the “poisoned” ads is huge. On Feb. 24, 2017, Talos tracked 222,450 queries in one hour alone on the fake domain blockchien.info. On Feb. 25, another 200,222 queries were tracked on the same domain in one hour.
“The domain block-clain[.]info was used as the initial “gateway” victims would first visit. Victims would immediately be redirected to blockchalna[.]info, the landing page where the actual phishing content was hosted. These fraudulent sites are mostly hosted on bulletproof hosting providers based in Europe. “
The ads provided a large, steady stream of traffic and potential victims to phony, but very realistic copycat websites such as the one following.
Uncovering many other fake domains, target countries
Tracking the activity on Google Adwords, Talos identified similar domains as malicious, and started blocking traffic, monitoring related networks and observing other phishing sites.
A significant number of DNS requests came from countries such as Nigeria, Ghana, Estonia and many more countries where banking is more difficult, local currencies are unstable, and users’ first language is not English.
Coinhoarder active since 2015
Talos says Coinhoarder has been active since 2015, stealing tens of millions of dollars in bitcoin from cryptocurrency exchanges and digital wallets.
Between September and December 2017 alone, more than $10 million was stolen by the cybercriminals.
A screenshot of just one wallet a balance of $1,894,433.09 and Talos estimates the criminal take at more than $50 million in the past three years.
The dramatic increase in value of bitcoin by the end of 2017 also made it more challenging for criminals to convert their virtual currency to US dollars.
Ukraine a cybercrime hotbed
Talos research shows Ukraine is a hotbed of cybercrime activity:
“Ukraine is a hotbed for many types of attacks and a home for known bulletproof hosting providers. In the past year, Cisco has witnessed a substantial rise in financial motivated campaigns coming from and targeting this region. One of Cisco’s goals is to collaborate with countries worldwide and use our global visibility on attacks to asses their security posture and help improve it.”
Cybercrime sophistication growing
Coinhoarder and other cybercriminals are getting more sophisticated recording to Talos. Not only have they abused Google Adwords, they are getting very adept at creating legitimate looking websites with SSL certificates issued by Cloudflare and Let’s Encrypt.
Talos says SSL certificate use by cybercriminals is a growing concern. Other tactics used to trick digital wallet clients include:
-SSL-signed phishing websites
-Internationalized website domains using homographic attacks with symbols closely resembling legitimate language.
What’s on the horizon for cybercrime?
Crypto assets are whole new opportunity for criminals.
Talos expects growing use of “Google Adwords combined with the use of IDNs and rogue SSL certificates to improve their probability of success and generate millions in profit…
“We can expect to see more of these realistic looking phishes with Let’s Encrypt releasing full wildcard certificate support at the end of this month. Cisco will continue to monitor the landscape and coordinate with international law enforcement teams in 2018 to help protect users and organizations.”
Investors and consumers can be more diligent about protecting credentials and personal data, as well as closely inspecting URLs and watching carefully for other phishing attempts.
It’s also a case where some healthy skepticism can be a valuable weapon and defense for consumers and investors.
Author: Jeff Domansky, Managing Editor
Visuals courtesy Talos International and Ukraine Cyberpolicija