As bitcoin price surges, so have phishing attempts against bitcoin wallets, according to Cisco’s Open DNS Labs blog. A similar phishing spike occurred over the summer in response to a bitcoin price jump. The blog includes a list of domains created by one phishing campaign to spoof Blockchain.info around the holidays.
Most of the phishing sites have been set up for phishing purposes. There has also been an increase in the compromise of legitimate sites modified to host bitcoin wallet phishing along with other phishing content.
Another trend has shown campaigns targeting Gmail accounts to gain access to Google Adwords and boost SEO to push these Blockchain.info phishes to the top of search results.
The blog displayed a few examples of WHOIS registrants that display this behavior.
Open DNS Labs’ new IP and registrant classification system is able to detect these bulletproof phishing infrastructures that target Blockchain.info wallets. It has also enabled Open DNS Labs to block these infrastructures before new phishing sites are developed and hosted on them.
The following compromised site offers an example exhibiting domain shadowing features hosting Blockchain.info phishing:
Such sites are not normally observed. Dedicated bitcoin wallet phishing sites are more typical. Hence, one can conclude that online wallet phishing is here to stay.
The domain dheekshapromoters.com serves as an index page for many such sites.
Open DNS Labs also displayed a list of domains created by firstname.lastname@example.org that spoofed Blockchain.info in November around the holidays.
Because the algorithms detect phishing campaigns as they go live, and in some instances prior to being created or registered, is important for Open DNS Labs to protect users. But it would not be possible to create the algorithms without understanding the initial cases producing such campaigns.
Open DNS Labs analyzed data that measures Google interest of the keyword “buy bitcoins” from Google, changes in the bitcoin prices from Blockchain.info, ransomware infections and detected phishing attacks on bitcoin wallets.
A strong correlation exists between bitcoin’s popularity, its price and bitcoin phishing attacks. It is also evident that ransomware infections do not strongly correlate with bitcoin price while bitcoin wallet phishing campaigns do, meaning the more expensive bitcoin becomes, the more attacks will occur.
Spikes in ransomware infections depend on delivery methods rather than bitcoin’s popularity. Analysis indicates that even when phishing and ransomware campaigns share the same infrastructure, there are different organizations behind them that work independently. It also explains why injecting malicious Adwords ads is the main delivery method of such phishing campaigns.
Image from Shutterstock.