OpenDNS Security Labs has discovered 100 fake bitcoin and blockchain domains that mimic legitimate bitcoin wallets in an attempt to steal credentials.
The domains share a provider with three different names that has used the IP space to sell pornography, false merchandise and phishing sites. The sites, most of which were registered on May 26, continue to pop up, indicating the campaign continues, according to Threatpost . Researchers Trace Connections
OpenDNS Security Labs researchers Dhia Majoub, Artsiom Holub and Jeremiah O’Connor were able to trace connections among name servers, IP addresses and Whois indicators over the past few weeks to determine the campaign’s scope.
An Israeli cloud-based security firm, Cyren, initially came across the campaign in early June by observing the Blockchain.info domain spreading through a pay-per-click advertising scam by Google AdWords. A user tricked into visiting the site and logging in would hand their Blockchain credentials to the attackers.
OpenDNS noticed a phishing attack at Blockchain-wallet.top a day after Cyren posted its research. OpenDNS discovered a site that looks similar to the real Blockchain.info site, also similar to the one Cyren found.
The site that OpenDNS found shares Blockchain’s teal-colored navigation bar and logo and is still active. Google has branded it as a deceptive site and warned users that it still might be in use to get people to reveal personal information. More Suspicious Sites
OpenDNS a few days later found an obfuscated URL Blockchain.com linked to the same IP. Researchers examined the IP and similar IPs. They discovered dozens of suspicious sites, including sites that look like Blockchain-wallet.info and localbitcoins.com.
Bitcoin addresses need to be checked at base58Check-encoded to determine they are genuine.The phishing domains the researchers found rely on typosquatting, which occurs when Internet users input a website address into a browser, make typographical errors, and are relocated.The attackers […]
