A blog from the world class Intelligence Group, Talos, Cisco’s Intelligence Group
Cisco has been tracking a bitcoin theft campaign for over 6 months. The campaign was discovered internally and researched with the aid of an intelligence sharing partnership with Ukraine Cyberpolice. The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims. This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals. Additionally, the revenue generated by these sorts of attacks, can then be reinvested into other cybercriminal operations.
The COINHOARDER Campaign
On February 24, 2017, Cisco observed a massive phishing campaign hosted in Ukraine targeting the popular Bitcoin wallet site blockchain.info with a client request magnitude of over 200,000 client queries. This campaign was unique in that adversaries leveraged Google Adwords to poison user search results in order to steal users’ wallets. Since Cisco observed this technique, it has become increasingly common in the wild with attackers targeting many different crypto wallets and exchanges via malicious ads.
Cisco identified an attack pattern in which the threat actors behind the operation would establish a “gateway” phishing link that would appear in search results among Google Ads. When searching for crypto-related keywords such as “blockchain” or “bitcoin wallet,” the spoofed links would appear at the top of search results. When clicked, the link would redirect to a “lander” page and serve phishing content in the native language of the geographic region of the victim’s IP address.