For the last month, attackers have used a combination of phishing and typosquatting to carry out a campaign aimed at stealing Bitcoin and blockchain wallet credentials.
More than 100 phony Bitcoin and blockchain domains have been set up so far, many which mimic legitimate Bitcoin wallets. Most of the sites were registered on May 26 and more continue to pop up daily suggesting the campaign is still in the early goings.
Artsiom Holub, Dhia Majoub, and Jeremiah O’Connor, researchers with OpenDNS’ Security Labs, traced connections between IP addresses, name servers and Whois indicators over the last few weeks in order to determine the scope of the campaign.
Cyren, an Israeli cloud-based security firm, spotted the first signs of life from the campaign in early June when it observed the domain blocklchain[.]info spreading through a pay-per-click advertising scam via Google AdWords. If a user was tricked into visiting the site – a replica of the real deal – and actually logged in, they would have handed their Blockchain credentials over to attackers.
A day after Cyren posted its research, OpenDNS went further down the rabbit hole and noticed a phishing attack at blockchain-wallet[.]top. Like the site Cyren found, the one OpenDNS found looks startlingly