Malicious Bitmain Website Shows up in Facebook’s Advertisements

Cryptocurrency users have become a prone target for cybercriminals these nefarious individuals often target exchanges and digital wallets. However, it seems there is a malicious social media campaign related to a Bitmain phishing website as well. The site looks and feels like the real deal, but it is clearly a fake. Users need to be aware of these problems and remain vigilant at all times. Cryptocurrency mining is very popular and people aren’t always browsing the correct websites.

The number of phishing attacks against cryptocurrency users has grown significantly. Over the past few years, we have seen numerous attempts at causing financial damage. Exchanges and trading platforms will remain the main target right now. However, someone is trying to trick users into order mining equipment from a fake Bitmain website. Considering how the company is the world’s largest manufacturer of such hardware, it is only normal criminals try to mimic it.

Beware of Fake Bitmain Ads on Facebook

Anyone who gets caught up in this fake website will lose their money. Although it is unclear how many victims there, one Reddit user pointed this issue out to us. More specifically, he lost 0.33 BTC due to this fake Bitmain website. It seems the nefarious site uses a different spelling of the “n” in the Bitmain name. This also makes the domain name look more legitimate compared to using a slightly different company name. A very problematic development, and one that should not be allowed tot to take place.

Unlike previous phishing sites, the fake Bitmain isn’t found on Google. There are no paid search engine advertisements when looking for the company by name. Instead, it can only be found on Facebook. Given the popularity of social media, it is normal criminals will try their hand at this new method. No one knows for sure how long the ad has been running for, though. Moreover, it remains unclear if this ad targets users in specific countries.

All things considered, cryptocurrency users need to be more careful than ever before. Any platform or email can contain malicious ads for services which seem legitimate. Bitmain is the latest victim in the ongoing attack by cybercriminals against cryptocurrency enthusiasts. It is unfortunate sites like these are even approved by Facebook. Big companies often don’t have the right staff in place to remain ahead of these phishing sites. It will not be the last of its kind either.

Header image courtesy of Shutterstock

Subscribe to our newsletter

There are many different types of scams in the world of cryptocurrency. Phishing sites are still the main source of concern and financial gain for criminals. Things are only complicated further thanks to paid Google Search ads which show up in people’s browsers. A phishing site mimicking ShapeShift has been identified as a Google Search result. It is easy to spot the fake ad, but some people will get tricked into visiting the site regardless.

Cryptocurrency users need to be on their toes at all times when searching the web. Bookmarking the sites you visit on a regular basis is the best course of action. Typing in addresses manually is prone to errors and may redirect people to phishing sites. Always be wary of Google Search results as well, as the first link is often a sponsored advertisement. Such is the case when conducting a  Google Search for ShapeShift. The first result is an ad for a phishing site.

Beware of the Fake ShapeShift Site in Google

It is not the first time criminals use Google advertisements to promote phishing sites. In this case, the site redirects to ShapeShifth.io, instead of ShapeShift.io. It is only a minor difference most people will not notice right away. Using the wrong site will end up in the money being stolen, though. The site looks and feels exactly like the real ShapeShift, which will make it more difficult for novice users to spot the fake one. It is unclear how long this advertisement has been showing up in Google results.

Cryptocurrency users are often targeted by criminals. Given the price appreciation of most top currencies, that is no real surprise. Phishing sites have always been a popular method of attack in this regard. One would expect cryptocurrency enthusiasts to know better than to fall for such blatant scams, but the reality is often very different.  Bookmarking the correct address is a viable solution to circumvent issues like phishing sites. It is now up to Google to get rid of this malicious advertisement.

This is not the first phishing attempt against ShapeShift or other cryptocurrency platforms. Exchanges are the most prominent target for cybercriminals in this regard. These platforms are frequently used by people from all over the world, which means there is good money to be made with copycat sites. It is unclear if anyone has used the fake ShapeShfit site and lost money because of it. Google has to step up its game to actively block such advertisements in the future, that much is certain.

Cryptocurrency users have seen their fair share of phishing scams over the years. In most cases, those scams involve fake exchange or wallet websites. Users are often contacted through an email campaign, which is often somewhat successful. This is a big problem that needs to be addressed. Things only get worse when the top Google Search result for the Bittrex exchange is a phishing site as well. This method of attack has become more prevalent in recent months.

Rest assured cryptocurrency users will see more phishing attempts in the future. Criminals know exchange users often use lackluster account security. All they need is a login and password to empty account balances with ease. In the case of Bittrex, that has become a lot more difficult. In a new update, the company introduces mandatory email-based 2FA for all users upon logging in. A great move forward, especially considering the growing number of phishing scams in circulation.

Phishing Clone of Bittrex Dominates Google Search Results

More specifically, the top search result for Bittrex on Google in a phishing scam. This is one of the sponsored ads which show up during most people’s searches. The domain name in question is bittrex.ltd. It also uses a fake description which makes it look somewhat legitimate, though. People need to be very careful when Googling for website address rather than entering them manually. It’s not hard to remember the Bittrex.com domain name, though. Still, novice users often struggle with this concept, which makes them prone targets for such phishing scams.

It has to be said, this fake Bittrex website looks like an exact copy of the original. However, a closer look at the address bar unveils you are using Bilttrex.com. This domain was registered about two weeks ago, indicating this scam has been going on for some time now. It is unclear who registered the domain, though, but we do know they use CloudFlare protection. It also appears the ad is no longer showing up for some people depending on their region, which shows Google is taking action against this scam.

Unfortunately, we will probably see more of these phishing sites in the future. Cybercriminals know users store a lot of money in an exchange wallet. It is up to individual users to take the necessary security precautions. Enabling 2FA in your account is an obvious first step. Not keeping funds in an exchange wallet is the better strategy, though. There are dozens of mobile, desktop, and hardware wallet solutions out there. Keeping your funds safe should be the number one priority for every cryptocurrency user. Otherwise, phishing attempts like these will remain far too successful.

Bitcoin users are all too familiar with the concept of phishing emails. Criminals attempt to trick users into giving up their login information through carefully crafted emails. The latest phishing email to make the rounds is aimed at Blockchain.info once again. It is not the first time people try to trick platform users into exposing their Bitcoin wallet.

Never opening an email from someone you don’t know is still a valid course of action. This is especially true for people who rely on external Bitcoin wallet services. So far, we have seen multiple companies suffering from phishing attacks executed by unknown criminals. Blockchain.info appears to be a very popular target in this regard. The platform has seen multiple phishing attempts over the past few years.

Blockchain.info Users Are at Risk Once Again

More specifically, the new phishing email claims users need to download a backup of their Blockchain.info wallet. First of all, the company would never ask users to do so via email. Secondly, they will never include a hyperlink in the message. Anyone can see this is a phishing attempt, even if you are not exactly tech-savvy. Emails like these need to be avoided at all costs. Clicking the link will expose your login information to unknown assailants.

What is rather interesting is how the email also contains an email attachment. This file is named “backup wallet.pdf.exe”. Downloading and running an executable file sent via email is the worst idea anyone can have. It is very likely these criminals want to infect computers with malware as well. Their ulterior motives remain shrouded in mystery for the time being. Moreover, it is unclear who is behind this new phishing email.

Once again, it is unclear how these people get access to Bitcoin users’ email addresses. Considering how Blockchain.info phishing campaigns are rather common, something is clearly wrong. However, these emails are often sent to people who don’t even use the service as a wallet as well. It is possible these emails are harvested from a prior Bitcointalk break several years ago. We can only hope this new campaign is not overly successful in the long run.

Criminals are often targeting Bitcoin users all over the world. Given the popularity and the BTC price increase as of late, this is not surprising. A new phishing email is making the rounds claiming to include some BTC-E vouchers. No one knows exactly who is behind this campaign, yet it is something to be wary about.

Beware of the fake BTC-E Voucher Email

It is not the first phishing email to target bitcoin exchange users. Various similar campaigns have made the rounds over the past few years. In most cases, criminals claim to represent Bitcoin exchanges asking for consumer information. This time, users are greeted with a message regarding BTC-E vouchers. An intriguing turn of events, although it is not hard to see this is a scam.

Everyone who ever uses BTC-E knows the exchange provides a voucher system. However, they will not give them out to platform users free of charge. This email claims otherwise, though. However, rather than pointing users to their account, the email includes a Word file. This file is locked with a password, which is also mentioned in the fake email. In other cases, BTC-E would send a plain text email without attachments.

The goal is to have people open this Word attachment and infect computers with malware, by the look of things. This has become a common tactic among internet criminals worldwide. They embed Word files with a malicious macro that triggers the download of malware. In some cases, they use this method to infect computers with ransonware as well.

It is unclear where the people behind this campaign got the email list they use. Some people on Reddit claim it is a result of a previous Bitcointalk hack. That is not confirmed at this stage, though. Not everyone who receives this email is a customer of BTC-E either. It is doubtful the campaign will be successful in the end. Then again, it never hurts to warn people about the danger lurking around the corner.

Global fraud rings are nothing new under the sun these days. With the rise of deep web activity, criminals have created platforms to communicate and collaborate on a global scale. Avalanche, one of the largest global fraud rings in the world, has now been dismantled. This is a major boon for law enforcement agencies, although the threat is far from over.

The Avalanche global fraud ring has been a thorn in the side of police officials for quite some time now. This project serves as a distributed cloud hosting network, which is often rented out to fraudsters. In fact, Avalanche has been used for over seven years and contributed to multiple malware and phishing attacks all over the world.

Europol, together with law enforcement agencies, worked together for four years to bring Avalanche to an end. Five individuals were arrested on November 30, and a total of 39 web servers have been seized and shut down. Moreover, the global fraud ring scheme spanned 830,000 domain names, which are put out of business as well.

Avalanche is Just One of Many Global Fraud Rings

This crime-as-a-service business model has seen its fair share of success in the past few years. Scammers, spammers, carders, and phishers all made use of this infrastructure at some point. In fact, one could argue Avalanche is one of the pillars of global cybercrime. Moreover, the service is responsible for major e-commerce and bank credential thefts over the years. Several banking Trojans have been deployed through this infrastructure as well.

The UK National Crime Agency explained the situation as follows:

“Cyber criminals rented the servers and through them launched and managed digital fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software that would steal users’ bank details and other personal data, At its peak 17 different types of malware were hosted by the network, including major strains with names such as goznym, urlzone, pandabanker and loosemailsniffer.At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.”

Do not be mistaken in thinking this global fraud ring was decentralized by any means. Even though its creators made sure servers were located all over the world, but that is not the same. Instead, the fast-flux hosting method allows botnets to hide delivery sites behind a constantly changing network of compromised services.

For the time being, it is unclear if the Avalanche global fraud ring enabled Bitcoin scam sites as well. Given the sheer amount of malicious cryptocurrency investing sites, it is not unlikely similar services are used by criminals. Global fraud rings are a significant threat to our society, and the shutdown of Avalanche is a major victory. However, that does not mean cybercrime threats will subside all of a sudden.

Header image courtesy of Shutterstock

A resident of Connecticut has been arrested for stealing Bitcoins and phishing for deep web logins. By posting links to fake darknet marketplaces, Michael Richo managed to collect a large amount of platform logins from other deep web users. With this information, he was also able to access the original accounts, and empty bitcoin wallets if they contained any balance.

The FBI and other law enforcement agencies have been keeping a close eye on the darknet marketplace sector as of late. During one of their investigations, they came across a person building clone websites of platforms such as AlphaBay. As it turns out, these were deliberate phishing attempts to collect login information from users and hack their accounts.

Phishing The Darknet For Logins and Bitcoins

After being arrested by the New Haven Division cybercrime squad, it didn’t take long for Richo to admit he was running a phishing scheme. Moreover, he admitted he created the websites, submitted the links to popular platforms, and stealing Bitcoins. For now, it remains unclear where the links were posted, albeit Reddit and darknet forums seem to be likely candidates.

Once the username and password for a particular platform were collected, Richo would access that account on the legitimate website. He would then check all accounts for a Bitcoin wallet balance, and withdraw any funds that may be present. Richo also kept tabs on these accounts to monitor for any incoming deposits, and sluice those proceedings away as soon as possible.

To make matters even worse, Richo admitted to running a secondary scheme to steal Bitcoin wallet balances By using a tool he dubbed “Bitcoin monitor”, he could post links that would route all traffic through his own servers. Doing so allows him to monitor all user keystrokes, enabling him to steal even more Bitcoin funds.

Obtaining stolen funds is one thing, but converting it to untraceable currency is very difficult. The investigation revealed Richo used Bitcoin Fog, a coin tumbler that allegedly provides anonymity. Once that process was completed, the “clean” Bitcoins would be sold through LocalBitcoins in exchange for US Dollars deposited into a bank account.

For the time being, it remains unclear as to how much money was stolen in total. We do know nearly 10,000 usernames and passwords were in Richo’s possessions at the time of his arrest. This goes to show that, despite users going through the extra trouble of using Tor and other tools, are still vulnerable to these types of “traditional” attacks.

Header image courtesy of Shutterstock

Popular Bitcoin exchange Kraken has issued a warning regarding a potential phishing website. Various company users have reported this fictitious platform, which seems to be appearing in advertisements across all the main search engines. Internet criminals are working hard to steal users’ Bitcoin and other cryptocurrency balances, that much is certain.

It appears as if someone is deliberately mimicking favorite websites for just about any cryptocurrency platform in existence right now. Google search results are littered with advertisements for malicious sites pretending to be the real deal. While most of these sites get removed temporarily, it is not a permanent solution by any means.

A Fake Kraken Website Appears Everywhere

The fake Kraken website shows up in the browser address bar as “kraken1.com”. Anyone who is paying attention to what they are doing will notice this issue straight away. On the outside, however, the site looks like an exact clone of the real Kraken, which is rather troublesome for novice users.

Then again, when conducting a Google search for “Kraken Bitcoin”, users will immediately see two results. The first link is an ad, which is never the real company site in the Bitcoin world. The one just below that is the actual exchange platform, including HTTPS certificate and the proper description.

Unfortunately, Google is not the only search engine hosting these malicious ads. The blog post mentions Yahoo and Bing as other places where the same ads are being hosted. Someone – or a collective of individuals – are trying to trick users into giving up their account passwords and cryptocurrency platforms.

Any Kraken user who makes use of a password for email accounts or other online services may have had those accounts compromised already. To make matters worse, users will not receive information regarding suspicious account activity when the criminal controls the email account. For the longest time, technology advocates have been warning Internet users not to reuse passwords across multiple platforms.

Getting these types of advertisements taken down can be quite a tedious process, unfortunately. A Google/Yahoo/Bing  support employee,will have to review the case, after which the company will evaluate the site listing. By the time is resolved, dozens, if not hundreds of people could have fallen victim to this phishing scam.

Source: Blog.Kraken.com

Header image courtesy of Shutterstock

Bitcoin has become the most valued financial instrument as it continues to put up a strong performance while other major currencies and markets are registering a slump following the Brexit results. As the value of the digital currency continues to increase, so are the number of phishing scams run by cybercriminals looking for ways to make a quick buck.

In a recent blog post, the OpenDNS Security Labs has reported an increase in the number of phishing attempts, targeted towards bitcoin wallet users. These phishing campaigns involve criminals hosting fake websites that are similar to the genuine ones with the intention of defrauding the users. By directing traffic to the fake website, they hope for unsuspecting users to leave their login credentials on the phishing site. The login credentials will then be used to gain control of their accounts at a later time.

The most recent target of phishing attacks is the leading bitcoin wallet service provider Blockchain.info. OpenDNS reports that the first case of phishing attempt was noticed by Cyren, a cloud-based internet security solutions company. Cyren (NASDAQ: CYRN) detected blocklchain.info mimicking the blockchain.info site and the phishing page was being promoted on Google AdWords to drive traffic to the page. Whenever somebody searched for ‘blockchain’ the sponsored result linking to blocklchain.info used to appear on the top. Any unsuspecting user would have blindly clicked on the top link to find themselves on a fake site.

The NLPRank model used by OpenDNS to detect phishing attacks is said to have detected other domains blockchain-wallet.top and blolkchain.com on the 9th and 13th of June 2016 respectively. Both the domains were found to be hosted on the same IP – 89.248.171.88 belonging to an offshore bulletproof hosting service provider formerly known as Ecatel. OpenDNS has published a list of domains hosted on the servers in the following IP range. The list includes numerous phishing URLs targeting blockchain.info and Local Bitcoins.

opendns image

Ecatel, which was earlier registered in Netherlands has a history of hosting illegal content and launching DDoS attacks. It was also subject to investigation. The company has since then changed its location and name to operate as QuasiNetworks from Seychelles. QuasiNetworks being the host for these bitcoin phishing sites doesn’t come as a surprise. While most of these sites are currently inaccessible, it is still advisable for users to make sure they are on the right website by verifying the URL of the webpage and look for the “https” sign on the address bar denoting a secure page.

Phishing attacks are a common occurrence, but users can protect themselves by being on a lookout for tell-tale signs that scream out “Phishing” while using the internet.

Ref: OpenDNS | Image: Blockchain.info

 

No one can argue that bitcoin has become a phenomenon that can’t ever be overlooked; the number of mainstream businesses adopting it, as a payment method, is increasing steadily and more and more venture capitalists are chipping in into various bitcoin startups. However, as the world’s first cryptocurrency is becoming more and more popular, this comes with a serious premonitory, especially that the anonymity offered by the blockchain technology is so tempting to hackers and fraudsters.

Whenever you become a victim of identity theft leading to loss of funds off your credit card or bank account, your losses would be covered by your bank or insurance company, but what if your bitcoins were stolen? Who would cover for your losses then? Accordingly, securing your PC and bitcoin wallets is crucial to turn down most hackers who might try to steal your coins.

How Hackers Can Target Your Bitcoin Wallets and Trading Accounts:

To maximize the security of your bitcoin wallets, you first need to understand how hackers can target your PC, mobile or server to steal your coins. Here are the most common types of attacks, hackers can use to exploit the vulnerabilities on your OS and steal your bitcoins:

1- Phishing:

Phishing IP addresses has always been one of the most commonly used types of hack attacks. Occasionally, the “IP phishing” is just the first step in more complicated types of attacks. In my opinion, nowadays if the IP of the “target” is recorded, 50% of the hacking process is already completed.

In most instances, a hacker creates a malicious link and sends it to the target machine, and once the user clicks on it, the IP address of his/her machine is recorded.

If you are using an online BTC wallet, you might receive a “fake” email that includes a link that directs you to a “fake” page of your online wallet login page and when you enter your login details, they are directly sent to the hacker who would definitely use them to drain all the BTC in your wallet; however, as all top online wallet providers have SSL protection, if you are attentive enough, you can bust such “fake” login pages easily.

2- Keyloggers:

In my opinion, keylogging is the easiest way to capture a password. A keylogger can be so deceiving that even a tech-savvy victim can fall for it. Simply speaking, a keylogger is a script code, which once installed on the OS of a target machine, records all the strokes on the keyboard and sends them back to the hacker, mostly via FTP.

The success of the process of injecting a keylogger is dependent on numerous factors including OS, the keylogger’s lifespan, the level of footprint infection on the target machine. Keyloggers are usually injected using a web browser exploit. Security vulnerabilities of the target machine vary according to the type of browser being used; whether or not the copy of the OS installed on the target machine is genuine or not; whether or not the OS is up-to-date regarding security vulnerabilities and bug fixes (2).

3- Stealers:

Stealers are pieces of software that retrieve the passwords and login credentials stored on your browser. Once FUD, some Stealers can be very powerful. In most instances, a stealer is a .bat file that can be injected into the target machine online or via a USB drive through “social engineering” (1).

4- Cookie Hijacking:

Cookie hijacking, or session hijacking, is the process of exploiting a valid computer session maliciously to gain unauthorized access to information or service on the target machine.

As http communication utilizes many TCP connections, a web server has to have a method to identify every user’s connections. Session tokens and cookies are the most commonly used client authentication methods nowadays. Cookie hijacking has many forms including session sniffing, cross-site script attack, side-jacking, man-in-the -middle attack and man-in-the-browser attack (3).

How Can You Secure Your Bitcoin Wallets and Trading Accounts?

 

1- Operating Systems and Bug Fixes:

Using a genuine OS that is regularly updated for security vulnerabilities and bug fixes is the first step in securing your bitcoin wallets. I would never recommend using android devices to access your bitcoin wallets, because, in my opinion, the android OS is full of security vulnerabilities that would act like a magnet attracting hackers.

2- Desktop Bitcoin-qt wallets Vs Online Wallets:

The security of most online bitcoin wallets is questionable. A large number of online wallet providers and bitcoin exchanges have suffered from a wide variety of security breaches and to our present day, such services still don’t offer adequate insurance and security to its users. If you have to use an online bitcoin wallet service, use “two factor authentication” to boost your security.

Bitcoin-qt wallets are the best option to maximize your security which will render you the only one having the private keys of your bitcoins. Don’t put all your eggs in one basket i.e. keep small amounts of money on your computer, server or smartphone for everyday expenses and use “cold storage” to store the majority of your coins. You should use strong passwords for both types of wallets. Multi-signatures is also another feature that can maximize your security.

3- Using Proxies and VPNs:

Proxy servers and VPNs can increase the security of your bitcoin wallets. Although most people wrongly think that a VPN grants them anonymity online, the truth is it doesn’t, yet it boosts privacy. Think of VPN as “window curtains’; the curtains promote privacy of the activities taking place inside your house, yet the address of your house can still be identified.

VPN minimizes hackers’ access to the open ports on your router so reduces the possibility of successful hack attacks (4).

4- Anti-Phishing Browsing Behavior:

Always, be cautious before clicking on any link. As mentioned earlier, your IP addressea would be recorded the second you click on a malicious link. Whenever you are suspicious about a link, use a “Website Phishing Check” service before clicking it.

5- Encrypt and Backup Your Wallet(s):

A wallet backup is indispensable to protect against PC failures and human errors. An encrypted wallet backup can help you retrieve your coins after your computer or mobile phone is stolen. You should always encrypt your online backups; even a PC connected to the internet is rather vulnerable to malicious attacks. Accordingly, any backup that can be accessed via the internet should be encrypted (5).

6- Cold Storage:

An offline wallet is also sometimes referred to as “cold storage” of bitcoin. Cold storage is the best way to store bitcoin in a secure place that has no network access. Cold storage should be used to store bitcoin savings.

Conclusion:

Although bitcoin represents the mostly targeted digital currency by hackers today, following strict security measures can turn down most attacks. Dealing with bitcoin should be approached on a secure machine while also adopting secure web browsing behavior.

References:

1- Ethical Hacking and Penetration Testing Guide 1st Edition

by Rafay Baloch. http://www.amazon.com/Ethical-Hacking-Penetration-Testing-Guide/dp/1482231611

2- Keyloggers ETHICAL HACKING EEL-4789 http://web.eng.fiu.edu/~aperezpo/DHS/Std_Research/Keylogging%20final%20edited%202.0%20.pdf

3- OWASP. Session Hijacking Attack https://www.owasp.org/index.php/Session_hijacking_attack

4- I Am Anonymous When I Use a VPN 2015 Edition: With 3 New Myths https://www.goldenfrog.com/take-back-your-internet/articles/myths-about-vpn-logging-and-anonymity

5- Bitcoin.org. Securing Your Wallet. https://bitcoin.org/en/secure-your-wallet