Social Engineering In Cryptoeconomics

This blog is a continuation of the previous blog that introduces the act of social engineering. It would be wise to read that blog before we can go ahead and explain how social engineering works in cryptoeconomics.

Phishing for Bitcoins

Social engineering attackers are also targeting cryptocurrency.

Researchers at Cisco’s Talos security group have identified a malicious advertising campaign they dub Coinhoarder, which appears to be based out of Ukraine and to have netted about $50 million in the past three years, including $10 million alone in the last three months of 2017.

For this campaign, which began last February, the researchers say attackers purchased Google Adwords to “poison user search results” and direct them to attacker-controlled phishing sites designed to separate them from their cryptocurrency.

“Cisco identified an attack pattern in which the threat actors behind the operation would establish a ‘gateway’ phishing link that would appear in search results among Google Ads,” the Cisco Talos researchers say.

“When searching for crypto-related keywords such as ‘blockchain’ or ‘bitcoin wallet,’ the spoofed links would appear at the top of search results. When clicked, the link would redirect to a ‘lander’ page and serve phishing content in the native language of the geographic region of the victim’s IP address.”

At one-point last February, Cisco reports that DNS queries for the gang’s fake cryptocurrency sites exceeded 200,000 queries per hour. A significant number of them came from Nigeria, Ghana, and Estonia, leading researchers to suggest that attackers were an attempt “to target potential victims’ African countries and other developing nations where banking can be more difficult, and local currencies much more unstable compared to the digital asset.”

Cisco says it’s been sharing intelligence on the operation with Cyberpolice Ukraine.

DNS queries for “block-clain.info” domain. (Source: Cisco Talos)

Many of the phishing sites use real-looking but fake domain names — referred to as “typosquatting” or brand spoofing — for example featuring a word such as “blockclain” — instead of “blockchain” — in the URL, Cisco says. Such typos could be especially effective on users whose first language is not English or for anyone who’s using a mobile device, researchers say.

More recently, Cisco Talos reports that attackers have been refining their campaign by making their phishing sites look more legitimate.

“A few months after we began tracking this particular group, we observed them starting to use SSL certs issued by Cloudflare and Let’s Encrypt,” the researchers say.

“SSL certificate abuse has been a rising trend among phishing campaigns in general.” (Darknet Vendors Sell Counterfeit TLS Certificates).

This is simply an example of how social engineering can be used in the realm of cryptoeconomics to embezzle people of their digital assets. It is advised that you do not participate in activities that seem malicious.