How Hackers Made Millions by Phishing Your Bitcoins

The frenzy around cryptocurrencies in 2017 pushed Bitcoin to atmospheric heights, and online criminals pounced.

Humble Yet Ambitious Beginnings

The year 2017 witnessed the largest cryptocurrency surge since Bitcoin’s humble yet ambitious beginnings in 2009. If you’ve missed the arrival of cryptocurrency, it’s likely because you might have blinked.

The promise of cryptocurrencies was to bring what some have described as a monetary revolution to the doorstep of big banks. So far they have brought a swift wealth of questionable value, speculators looking to make dividends from easy investments, and criminals looking to capitalize on the novelty of the market and the gullibility of its investors.

Impossible to ignore, however, is the pure hunger people feel for the freedom a new form of currency may provide.

If you’ve missed the arrival of cryptocurrency, it’s likely because you might have blinked.

In three years, Bitcoin went from geek oddity to a financial force of reckoning.

During a five-day period in July 2010, the value of Bitcoin — such as it is — increased from a fraction of a penny to eight cents per Bitcoin ($0.08), a 900 percent increase.

It reached parity with the US dollar the following year.

By 2012, the cryptocurrency vendor Bitpay announced more than 1,000 merchants were accepting Bitcoin as payment. The following month, WordPress began taking Bitcoin as well.

The next few years witnessed the creation of more than 30 new currencies, and the price of Bitcoin first doubled, then halved, then doubled again, then halved again, then stabilized at about $600 around Fall of 2016.

But 2017 is when cryptocurrencies really came into their own. Not only did Bitcoin skyrocket to an atmospheric price (from nearly $1,000 in January to just shy of $20,000 per Bitcoin in December), “altcoins” like Ripple, Dash, NEM, and Monero began to rapidly increase in popularity as well. The entire cryptocurrency market, before the drastic free fall that started right about the turn of the new year, looked like it could not lose. At one point around November, the cryptocurrency market “value” was up more than 1,200 percent.

Criminal activity, though it has always been part of the cryptocurrency market going back to its origins in 2010, also picked up in a big way.

There has been an ongoing siege on cryptocurrency wallets since the early days, and criminals have even begun turning to traditional “real world” methods to steal crypto from investors.

On December 26, 2017, kidnappers abducted a man named Pavel Lerner, a leading analyst and blockchain expert, for an exchange company called Exmo. He was set free three days later, after a million ransom was paid. Lerner was fortunately not harmed.

On January 28, 2018, four armed robbers broke into the home of a digital currency day trader in the small village of Moulsford, Oxfordshire, and forced the 31-year-old trader at gunpoint to transfer an untold sum of Bitcoin from his accounts. Luckily, no one was reported harmed during the incident.

Many criminals, however, are sticking to the digital methods for pilfering coins from exchanges, wallet companies and even individual users. One particular group has found it easiest and most lucrative to trick inexperienced users into handing over wallet credentials.

A look at the most notable cryptocurrency thefts going back to 2011. The prevailing trend among the most lucrative thefts has been an outside or inside attacker compromising a hot or cold wallet and transferring the funds to their own. Source: Coindesk, The Guardian, Bezinga, Ars Technica.

An Opportunistic Crime Spree

In February 2017, Jeremiah O’Connor, a senior security researcher at Cisco, began tracking a phishing campaign that aimed to capitalize on a spiking bitcoin price and lure investors into handing over their digital wallet credentials for popular sites like Blockchain[.]info and MyEtherWallet[.]com.

Enlisting the help of other security researchers at Cisco Umbrella, Cisco Talos, and the Ukraine Cyberpolice, O’Connor says the campaign had started growing in both breadth and yield, right as the price of Bitcoin and other cryptocurrencies peaked.

Since his early work, the campaign evolved and progressed into a multimillion-dollar operation, spanning hundreds of phishing domains and potentially thousands of victims. The Ukraine Cyberpolice said in a released statement that they suspect the campaign has been running for multiple years, starting around the end of 2014, and that the attackers may have yielded hundreds of millions in USD during a three-year span.

The soaring price is only one factor driving these attacks, but it adds an interesting dynamic benefitting the attackers. Robbing users of their cryptocurrency creates an appreciation opportunity if the price of Bitcoin also appreciates tremendously.

Ukraine Cyberpolice agents suspect the campaign has been running since the end of 2014 and may have yielded hundreds of millions in USD.

Bitcoin transactions, even those involved in a theft, by their very nature are indelible, meaning once a transaction is complete it cannot be reversed, unlike instances of credit card fraud, for example, in which a card or its account is insured by the FDIC and backed by large financial institutions. Fraudulent charges can be easily reversed with a phone call.

Scammers, phishers, and threat actors have not missed this opportunity. Not by a long shot.

The global professional services firm Ernst and Young (EY) issued a report in December 2017 that found an estimated 10 percent of Initial Coin Offerings (ICO) funds are stolen as a result of various attacks. Unsurprisingly, EY blames phishing attacks for the majority of losses, calling it the “most widely used hacking tool” during the ICO process.

Bitcoin specifically shares the majority of headlines, being the cryptocurrency of choice among investors, but it is by no means the only one under attack. Just weeks ago on January 26, hackers infiltrated one of Japan’s largest crypto wallet companies, Coincheck, and netted $534 million in XEM, a cryptocurrency from the blockchain technology NEM, which stands for New Economy Movement.

On January 26, hackers infiltrated one of Japan’s largest crypto wallet companies, Coincheck, and netted $534 million…

In fact, O’Connor says, many attackers have begun moving to so-called altcoins. These Bitcoin alternative currencies offer attackers fresh opportunities to either make money or hide their exploits from law enforcement. Currencies like Monero specialize in providing a completely anonymous platform, with high levels of encryption to prevent any tracking of transactions.

The actors behind the WannaCry ransomware, for example, reportedly moved their gains from the attack — few as they might be — to Monero in August 2017.

Phishing the Newbies

Phishing, in particular, has proven to be highly lucrative compared to other forms of crime. O’Connor said he and his colleagues have identified wallets related to this campaign that have yielded as much as $10 million, but it’s likely much higher.

To track the phishing campaign, O’Connor used a newly patented machine learning model he first developed at OpenDNS — now known as Cisco Umbrella since the company’s acquisition by Cisco in 2016. The model scans a huge swath of domain traffic from a diverse, global dataset — more than 125 billion DNS requests a day from 160 different countries. The model selects newly seen domains and fetches the actual page content. It will then apply natural language processing and unsupervised machine learning techniques to classify the page as phishing. Using positive results from that test, the model will then hunt for infrastructures dedicated to phishing.

In February 2017, O’Connor and a colleague on the Cisco Umbrella security research team noticed a large number of phishing domains popping up that were spoofing popular bitcoin wallet companies like Blockchain[.]info and others. Some of the domains in the corpus were also experiencing huge spikes in traffic, a few receiving more than 200,000 requests.

How the Phish Works

Phishing domain that received a huge spike in traffic during the campaign’s peak in February 2017. Source: Cisco Umbrella

Bitcoin phishing is just like any other type of phishing. It starts with a domain that is engineered to look just like a legitimate domain. Instead of Blockchain[.]info, for example, these phishing sites would use something very similar an unsuspecting user may not catch, like Blolckchain[.]info or Blockchian.[]com.

In this particular campaign, one of the more interesting techniques was to use Google Ads to lure victims. Searching for “blockchain,” or “bitcoin wallet” would bring a Google results page with an ad that acts as a gateway, and points to a domain similar to one of the above examples.

Not paying close attention when clicking a top result, the user is then sent to a “lander” page with the phishing content. The attackers even crafted these phishing pages to serve content in the native language that corresponds to the victim’s IP address.

That last part is important because another aspect of this campaign, O’Connor says, was the countries targeted.

A capture from Investigate, a domain investigation tool that shows the origin countries for requests going to a given domain. In this case, the most requests going to the phishing site blockchalna[.]info originated from Nigeria, Ghana, and Estonia.

Countries with unpredictable currencies or volatile political climates tend to see a lot more interest in cryptocurrencies.

Just look at the Google Trends for altcoin searches in the past 90 days.

Kristov Atlas, a security research professional with the cryptocurrency wallet company Blockchain.info, says the attacks he sees targeting Blockchain customers are coming from Russia, Eastern Europe, and South Asia. His company, Blockchain[.]info serves about 22 million wallet users and keeping them safe from phishing a big concern for Blockchain, as it is at any financial institution.

But it also comes with special challenges.

As a cryptocurrency investor, users get a “radically improved financial freedom,” but it comes with a responsibility that “goes beyond common intuitions about online finance,” Atlas said.

Tracking the Attackers

Using related registrant data, WHOIS info, and other patented features of his model, O’Connor began constructing a map of the entire phishing infrastructure to learn the attackers’ methods.

[Cryptocurrency] investors get a “radically improved financial freedom,” but it comes with a responsibility that “goes beyond common intuitions about online finance…”

Shortly after compiling a large list of hundreds of domains involved in the attack, O’Connor said the attacker began shifting tactics and incorporating SSL signed domains.

SSL certificates are not only trivial to obtain, but they don’t actually secure the site or the user. When visiting a phishing site, especially on a mobile phone, a user, seeing a green lock next to the domain name, ostensibly gets a false positive sense of being secure on the site, because an authority has deemed it legitimate.

O’Connor said attackers are abusing certificate authorities like CloudFlare and Let’s Encrypt more frequently.

They also use techniques like homographic or international domains that will appear nearly identical to a legitimate site in a user’s address bar.

What the browser sees → What the user sees:
xn — blockchan-d5a[.]com → blockchaìn[.]com

Security Is Now a Personal Responsibility

So you Googled “blockchain” and clicked a phishing ad, then entered your credentials. You cryptocurrency wallet is emptied in moments, transferring all your funds to some attacker’s funds before you can do anything to stop it.

What now?

Unfortunately, the same mechanisms that give cryptocurrency users more “financial sovereignty,” also make it nearly impossible to get stolen funds back. In fact, most cases of stolen funds being returned at all were those in which a wallet company had been compromised and reimbursed the user.

Stolen funds are not often reclaimed from the thief.

Atlas says users will likely learn, through training and educational efforts on his company’s behalf — which he says are integral to the goal — that security is also partially a responsibility of the user.

“I think consumers will be adopting a little more responsibility for digital security in the future, and security savviness will become another life skill,” Atlas said.

But of course, as a security professional, part of his job is to be empathic to the user and help them make the right choice while not overburdening them with too much responsibility.

“There’s room to improve on [the security] front, but the inherent nature of the technology is that it is better to prevent theft rather than recover from it.”

Most wallet companies offer some form of two-factor authentication. Many require it to be implemented when an account is created. Some, unfortunately, still offer e-mail and SMS two-factor, both of which have been proven to be severely flawed. Yet, Atlas says, they would still prevent the “vast majority of current phishing attacks.”

“We try to steer our users to secure their accounts by presenting them with a visible Security Center score in their wallets,” he said. Blockchain[.]info users get a color score, starting out red for insecure accounts, going to green as a user adds additional authentication and security measures.

“Without a good deal of savviness, it can be tough for users to thoroughly secure their wallets against phishing and malware attacks,” Atlas said. “We’re seeing more and more crypto-currency users adopting specialized hardware such as hardware tokens and hardware wallets. In the long run, I see crypto-currencies getting so popular that we’ll see this functionality incorporated into mobile phones.”

To learn more about O’Connor’s work, visit the Cisco Talos blog here.

You can also read more of Kristov Atlas’s thoughts on cryptocurrencies and security here.

Original visuals by Joel Davis.