Washington, DC - Cisco and Ukrainian Cyberpolice have unearthed a massive Bitcoin phishing scam. It’s said that over $50 million (in Bitcoin) was stolen by Coinhoarder, the hacker group behind the scam. They were exceedingly clever about it, too. All of this was made possible by using free SSL certificates and Google AdWords.

The news first came out on Wednesday when Jeremiah O’Connor and Dave Maynor published a blog post on Talos’ official blog. Cisco, with the assistance of Ukrainian Cyberpolice, has been tracking this theft for over six months.

Here’s what happened

If you’re into Bitcoin trading or mining, you’d have heard of the website blockchain.info. And if you haven’t, let me tell you that it is one of the most popular providers of cryptocurrency wallets. To deceive blockchain.info users into giving their details, the group created similar websites with very little change in the domain name. These changes were made in such a way that it’d be pretty hard to notice them. The hackers used the domain names such as block-clain.info and blockchien.info. Let’s be honest and admit that most of us wouldn’t have been able to notice the difference in the domain name as long as the site appears like the original one. And you know what? Many didn’t.

Here’s a Reddit post from a user who seems to have fallen victim to this Bitcoin phishing scam:

First of all, the login confirmation email stated that there has been a login attempt from the IP address that now has appeared to be from brazil, so this means that this person has somehow already accessed my account, with the correct information (wallet ID and my password). It should be noted that this password is unique, and I have not used it at a different site, ever. How could this person have accessed my account with the correct information, minutes after I created it?

Second of all, how did I end up on f*cking bockcheian.info? I have never logged in anywhere else, except for the legit blockchain site.

I can’t seem to make any sense out of it, if anyone could offer some insight, would be much appreciated.

Edit: Also now when I am on bockcheian.info, my chrome prevents me from seeing the page, displaying a warning that this site is used for phishing. If only I would have gotten this warning an hour ago.

This person is just one of the many people who gave their wallet details on these spoofy sites and got their crypto-wallets stolen. It is estimated that $50 million (#Whoa) worth of Bitcoin has been stolen this way.

Here’s how the hackers (mis)used Google AdWords

Put yourself in the hackers’ shoes for a minute and think how you could make the maximum number of blockchain.info users to click on your fake blockchien.info website. Well, how about getting your fake site on the first search result on Google for the keywords like ‘blockchain’ or ‘bitcoin wallet?’ Smart, right? Well, that’s precisely what the Coinhoarder group did. They placed their ads by purchasing particular keywords so that their site could appear on top of Google search results and thus, they can dupe maximum users.

I certainly don’t want to praise the hackers here (and no one should), but the simplicity with which they fooled users is remarkable, I must say. As a result, in February 2017, DNS queries for these fake cryptocurrency sites went as far as 200,000 per hour!

Phishing & Free SSL certificates: The Love affair continues

As web users keep getting more and more concerned regarding their security, they’ve become more adept at identifying fake websites from the real ones. And the first thing that they do is to check if there’s ‘Secure’ sign or a padlock in front of the URL. Without a shadow of a doubt, this is a good practice. But what most people don’t realize is that “Secure” doesn’t equal safe. There could be an imposter hiding behind the padlock icon. In recent times, with the rise of free SSL certificates, we’ve been seeing this a lot.

That’s because it’s so easy to get a free SSL certificate, anyone, I repeat, anyone could issue one for his/her domain. This has been a boon as well as a bane. Almost half of the websites on the internet are now encrypted, and a large part of the credit goes to these free certificate authorities. However, this opens up a can of worms for users and a window of opportunity for cyber-criminals.

To give you an example, my former colleague, Vince, found out that Let’s Encrypt, a free certificate authority, was issuing thousands of PayPal phishing certificates. He even appealed Let’s Encrypt to stop issuing certificates for the domains that have the word ‘PayPal’ in them. Sadly, nothing happened.

During this Bitcoin phishing campaign, to appear legitimate, hackers are migrating their sites from HTTP to HTTPS with the help of these free SSL certs. This is how it looks:

Bitcoin Phishing

Let’s admit it, this would be pretty easy to fall for this.

Final Thoughts

The use of Google AdWords to dupe users makes this Bitcoin phishing scheme a unique one. However, this is not the first, nor the last time we’re seeing the dark side of free SSL certs. With Let’s Encrypt about to introduce Wildcard SSL certificates, we can expect an even bigger uptick in phishing attacks.