An Ukrainian-based cybercrime gang named Coinhoarder stole at least $50 Million U.S. Dollar after tricking Bitcoin investors handing over their login credentials for their online wallets.
In order to carry out the huge phishing operation, criminals have adopted Google Adwords as online advertisements for the legitimate and popular blockchain.info Bitcoin portfolio website, according to researchers at Cisco Talos.
So when a user was looking for crypto-related keywords like ‘blockchain’ or ‘bitcoin wallet’, the spoofed links topped the search results of Google. When the victims click the link they were redirected to a landing page with phishing content in the native language of the geoghrapic region of the victims IP address.
The criminals were particularly interested in individuals in African countries and developing countries where bank facilities might be harder to obtain and – in some cases – local currency less stable than Bitcoin.
By working together with law enforcement agencies in Ukraine, the researchers were able to identify the bitcoin wallet addresses of the gang and follow their activity for the period of time between September 2017 to December 2017. In this period alone around $10M U.S. Dollar was stolen.
New effective attack techniques
According to Cisco the COINHOARDER group is not only abusing Google Adwords to generate traffic to their phishing sites. They also seen this groups techniques evolve, when they started using SSL-certificates issued by Cloudflare and Let’s Encrypt to make their sites appear more legitimate. SSL certificate abuse has been a rising trend among phishing campaigns in general.
Below is are two examples of phishing websites used by the COINHOARDER group, take a close look at the URL:
Before filling in any personal/billing information on any websites always check the URL twice for typo’s. Usually and SSL-certificate means that the website is safe for payments. But since the SSL-certificate in this case is in hands of scammers, it is not safe. As you can see in the screenshots above the URL has typo’s in both cases. Better close the tablad and look for the website again until you’re sure its the right legitimate one.
Source: Cisco’s Talos Intelligence