Cisco And Ukrainian Cyber Police Uncover $50 Mln Bitcoin Phishing Scam
Technology conglomerate Cisco and the Cyber Police of Ukraine have revealed a Ukrainian Bitcoin (BTC) phishing ring that has stole over $50 mln over a three year period, Cisco’s threat intelligence team Talos reports.
Talos was first alerted to the phishing threat on Feb. 24, 2017, when a Ukrainian-based phishing scheme, COINHOARDER, targeted the blockchain.info wallet service through Google Ads that contained “gateway phishing links” and generating over 200,000 client search queries.
The Google Ads would appear to represent the real blockchain.info Bitcoin wallet by using domain names that closely resembled that of the official wallet, like blockchein.info. The phishing sites themselves are also designed to match the real site in every way except for the domain name.
Talos reports that COINHOARDER began making their phishing site look more legitimate over time by using rogue SSL certificates in combination with their “typosquatting,” “brand spoofing,” and “homograph attacks.”
Talos found that the phishing targeted geographic areas where local currencies were unstable and English was not the first language of the region, like Nigeria and Ghana, for victims were more likely to miss the slight differences in the domain and SSL names.
Cisco’s collaboration with the Cyber Police of Ukraine helped them identify the attackers’ BTC wallet address. Talos writes that “around $10 mln” alone was stolen while tracking the wallet’s activity from Sept. through Dec. 2017.
After the discovery of this large-scale phishing scheme, Cisco began flagging the associated domains as suspicious, and used DNS requests to find and block other domains opened by the same registrant of the initial site.
Talos ends their report with the list of the IP addresses associated with the phishing scam, as well as ways for Cisco customers to protect themselves against similar threats.
Crypto phishing scams on Twitter have recently become much more prevalent, with users creating fake accounts that closely mimic those of crypto elites like Charlie Lee or Vitalik Buterin and then promoting fake crypto giveaways.